Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.php.
CVSS Score
8.8
EPSS Score
0.004
Published
2023-05-17
SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.
CVSS Score
8.8
EPSS Score
0.517
Published
2023-04-21
Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.
CVSS Score
7.5
EPSS Score
0.005
Published
2022-07-14
Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.
CVSS Score
8.1
EPSS Score
0.019
Published
2022-01-28
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.
CVSS Score
7.2
EPSS Score
0.003
Published
2021-04-02
Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.
CVSS Score
6.5
EPSS Score
0.025
Published
2018-03-16
Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator.
CVSS Score
4.9
EPSS Score
0.003
Published
2018-02-24
The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application.
CVSS Score
6.5
EPSS Score
0.002
Published
2017-12-01
Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php.
CVSS Score
6.1
EPSS Score
0.004
Published
2017-10-10
url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a " character, or a URL beginning with a substring other than the http:// or https:// substring.
CVSS Score
6.5
EPSS Score
0.003
Published
2017-10-10