Lucene search

[email protected]CVE-2017-17827

HistoryDec 21, 2017 - 4:29 a.m.

CVE-2017-17827

2017-12-2104:29:00

CWE-352

[email protected]

web.nvd.nist.gov

piwigo

2.9.2

csrf

vulnerability

admin panel

admin.php

configuration

main

batch manager

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.7 Medium

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

55.0%

JSON

Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.

CPENameOperatorVersion
piwigo:piwigopiwigoeq2.9.2

CPE	Name	Operator	Version
piwigo:piwigo	piwigo	eq	2.9.2

References

github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f

github.com/Piwigo/Piwigo/issues/822

github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.7 Medium

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

55.0%

JSON

Related for CVE-2017-17827

osv1 prion1 cvelist1 openvas1