CVE-2016-10514

Name of the Vulnerable Software and Affected Versions Piwigo versions prior to 2.8.3

Description The issue allows remote attackers to bypass intended access restrictions. This can be achieved via a URL that contains a " character, or a URL beginning with a substring other than the http:// or https:// substring. The problem is located in the url check format function in include/functions.inc.php.

Recommendations For versions prior to 2.8.3, update to version 2.8.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the url check format function in include/functions.inc.php until a patch is available. Avoid using URLs that contain a " character or start with substrings other than http:// or https:// in the affected function.