CVE-2012-2930

Name of the Vulnerable Software and Affected Versions TinyWebGallery versions prior to 1.8.8

Description The issue allows remote attackers to hijack the authentication of administrators for requests. This can be done in two ways: by adding a user via an "adduser" action to "admin/index.php" or by conducting static PHP code injection attacks in ".htusers.php" via the user parameter to "admin/index.php".

Recommendations For versions prior to 1.8.8, update to version 1.8.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin/index.php" endpoint to minimize the risk of exploitation. Avoid using the user parameter in the affected API endpoint until the issue is resolved.