Shodan
Vulnerabilities
Vulnerable Software
Piwigo:  Security Vulnerabilities
CVE-2018-7724
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
CVSS Score
5.4
EPSS Score
0.001
Published
2018-03-06
CVE-2018-6883
Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator.
CVSS Score
4.9
EPSS Score
0.003
Published
2018-02-24
CVE-2018-5692
Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-01-14
CVE-2017-17822
The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
CVSS Score
4.9
EPSS Score
0.003
Published
2017-12-21
CVE-2017-17823
The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
CVSS Score
4.9
EPSS Score
0.003
Published
2017-12-21
CVE-2017-17824
The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.
CVSS Score
4.9
EPSS Score
0.003
Published
2017-12-21
CVE-2017-17825
The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
CVSS Score
4.8
EPSS Score
0.002
Published
2017-12-21
CVE-2017-17826
The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration&section=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-12-21
CVE-2017-17827
Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.
CVSS Score
8.8
EPSS Score
0.002
Published
2017-12-21
CVE-2017-17774
admin/configuration.php in Piwigo 2.9.2 has CSRF.
CVSS Score
8.8
EPSS Score
0.001
Published
2017-12-20


Products
Pricing
Contact Us

Shodan ® - All rights reserved