Piwigo Security Vulnerabilities

CVE-2023-51790

Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in...

CVE-2023-44393

Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here] page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS....

CVE-2023-37270

Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header User-Agent is vulnerable at the endpoint that records user information when logging in to the...

CVE-2023-34626

Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users"...

CVE-2023-33361

Piwigo 13.6.0 is vulnerable to SQL Injection via...

CVE-2023-33362

Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile"...

CVE-2023-33359

Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags"...

CVE-2023-27233

Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at...

CVE-2023-26876

SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id...

CVE-2022-48007

A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the...

CVE-2022-37183

Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via...

CVE-2022-32297

Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search...

CVE-2021-40553

piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles...

CVE-2021-40678

In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through...

CVE-2021-40317

Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id...

CVE-2020-19216

SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to...

CVE-2020-19215

SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to...

CVE-2020-19217

SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to...

CVE-2020-19213

SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to...

CVE-2020-19212

SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to...

CVE-2022-26267

Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in...

CVE-2022-26266

Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via...

CVE-2022-24620

Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's...

CVE-2021-45357

Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in...

CVE-2016-3735

Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an...

CVE-2021-40882

A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the...

CVE-2021-40313

Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in...

CVE-2020-22148

A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or...

CVE-2020-22150

A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or...

CVE-2021-32615

Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL...

CVE-2021-27973

SQL injection exists in Piwigo before 11.4.0 via the language parameter to...

CVE-2020-9467

Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo...

CVE-2020-9468

The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id...

CVE-2020-8089

Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list...

CVE-2012-4525

piwigo has XSS in...

CVE-2012-4526

piwigo has XSS in password.php (incomplete fix for...

CVE-2019-13364

admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via...

CVE-2019-13363

admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via...

CVE-2014-4613

Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to...

CVE-2018-7724

The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be...

CVE-2018-7723

The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be...

CVE-2018-7722

The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be...

CVE-2018-6883

Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an...

CVE-2018-5692

Piwigo v2.8.2 has XSS via the tab, to, section, mode, installstatus, and display parameters of the admin.php...

CVE-2017-17822

The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL...

CVE-2017-17825

The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in...

CVE-2017-17823

The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL...

CVE-2017-17824

The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL...

CVE-2017-17827

Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended...

CVE-2017-17826

The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration§ion=main request. An attacker can exploit this to hijack a client's browser along with the data stored in...