flop25

4 exploits Active since Jun 2017
CVE-2017-10682 WRITEUP CRITICAL WRITEUP
Piwigo < 2.9.1 - SQL Injection via cat_false or cat_true Parameter
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
CVSS 9.8
CVE-2017-10678 WRITEUP HIGH WRITEUP
Piwigo <= 2.9.1 - Cross-Site Request Forgery via Permalink Deletion
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request.
CVSS 8.8
CVE-2017-10680 WRITEUP HIGH WRITEUP
Piwigo <= 2.9.1 - Cross-Site Request Forgery via Album Privacy Change
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request.
CVSS 8.8
CVE-2017-10681 WRITEUP HIGH WRITEUP
Piwigo <= 2.9.1 - Cross-Site Request Forgery via Album Unlock Request
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request.
CVSS 8.8