Vulnerabilities (CVE)

Filtered by vendor Piwigo Subscribe

CVSS v3 Filter

ALL

NONE (0.0) LOW (0.1 - 3.9) MEDIUM (4.0 - 6.9) HIGH (7.0 - 8.9) CRITICAL (9.0 - 10.0)

Search

Total 8 CVE

CVE	Vendors	Products	Updated	CVSS v2	CVSS v3
CVE-2020-19213	1 Piwigo	1 Piwigo	2022-05-13	7.5 HIGH	9.8 CRITICAL
SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.
CVE-2021-32615	1 Piwigo	1 Piwigo	2021-05-21	7.5 HIGH	9.8 CRITICAL
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVE-2019-13363	1 Piwigo	1 Piwigo	2020-08-24	6.8 MEDIUM	9.6 CRITICAL
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.
CVE-2019-13364	1 Piwigo	1 Piwigo	2020-08-24	6.8 MEDIUM	9.6 CRITICAL
admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.
CVE-2014-8945	1 Piwigo	1 Lexiglot	2020-06-02	7.5 HIGH	9.8 CRITICAL
admin.php?page=projects in Lexiglot through 2014-11-20 allows command injection via username and password fields.
CVE-2014-8941	1 Piwigo	1 Lexiglot	2020-06-02	7.5 HIGH	9.8 CRITICAL
Lexiglot through 2014-11-20 allows SQL injection via an admin.php?page=users&from_id= or admin.php?page=history&limit= URI.
CVE-2017-10682	1 Piwigo	1 Piwigo	2017-12-20	7.5 HIGH	9.8 CRITICAL
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
CVE-2016-10105	1 Piwigo	1 Piwigo	2017-01-05	7.5 HIGH	9.8 CRITICAL
admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.