Rodolfo Augusto Do Nascimento Tavares

Researcher fromTempest Security Intelligence
#11193of 53,633
24.6Total CVSS
Vulnerabilities · 3
Medium
1
Critical
2
PT-2021-18627
5.4
2021-04-06
Unknown · Liquidfiles · CVE-2021-30140
**Name of the Vulnerable Software and Affected Versions** LiquidFiles versions 3.4.15 **Description** The issue is related to stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML/JavaScript content, such as SVG with HTML content, the payload is executed upon a click. **Recommendations** For LiquidFiles version 3.4.15, update to version 3.5 to resolve the issue. As a temporary workaround, consider restricting the "send email" functionality to prevent potential exploitation.
PT-2019-13293
9.6
2019-09-13
Piwigo · Piwigo · CVE-2019-13363
**Name of the Vulnerable Software and Affected Versions** Piwigo version 2.9.5 **Description** The issue concerns a Cross-Site Scripting (XSS) exploit in the `admin.php?page=notification by mail` endpoint. This exploit is achievable through several parameters: `nbm send html mail`, `nbm send mail as`, `nbm send detailed content`, `nbm complementary mail content`, `nbm send recent post dates`, or `param submit`. The exploit is also viable through Cross-Site Request Forgery (CSRF). **Recommendations** For Piwigo version 2.9.5, as a temporary workaround, consider restricting access to the `admin.php?page=notification by mail` endpoint to minimize the risk of exploitation. Avoid using the parameters `nbm send html mail`, `nbm send mail as`, `nbm send detailed content`, `nbm complementary mail content`, `nbm send recent post dates`, or `param submit` in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2019-13294
9.6
2019-09-13
Piwigo · Piwigo · CVE-2019-13364
**Name of the Vulnerable Software and Affected Versions** Piwigo version 2.9.5 **Description** The issue concerns an XSS exploit via the "admin.php?page=account billing" endpoint, specifically through the `vat number`, `billing name`, `company`, or `billing address` parameters. This is also exploitable through CSRF. **Recommendations** For Piwigo version 2.9.5, update to a version that includes a fix for this issue to prevent exploitation.