sahildhar

6 exploits Active since Dec 2017
CVE-2017-17822 WRITEUP MEDIUM WRITEUP
Piwigo - SQL Injection
The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
CVSS 4.9
CVE-2017-17823 WRITEUP MEDIUM WRITEUP
Piwigo - SQL Injection
The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
CVSS 4.9
CVE-2017-17824 WRITEUP MEDIUM WRITEUP
Piwigo - SQL Injection
The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.
CVSS 4.9
CVE-2017-17825 WRITEUP MEDIUM WRITEUP
Piwigo - XSS
The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
CVSS 4.8
CVE-2017-17826 WRITEUP MEDIUM WRITEUP
Piwigo - XSS
The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration&section=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
CVSS 6.1
CVE-2017-17827 WRITEUP HIGH WRITEUP
Piwigo - CSRF
Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.
CVSS 8.8