CVE-2012-2930
TinyWebGallery < 1.8.8 - Cross-Site Request Forgery via Admin User Management
Title source: llmDescription
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers.php via the user parameter to admin/index.php.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
http://www.tinywebgallery.com/forum/web-photo-gallery-news-f14/twg-1-8-8-is-available-t3274.html
Exploit x_refsource_misc
https://www.htbridge.com/advisory/HTB23093
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/show/osvdb/82961
Scores
EPSS
0.0070
EPSS Percentile
48.9%
Details
CWE
CWE-352
Status
published
Products (1)
tinywebgallery/tinywebgallery
< 1.8.6
Published
Apr 24, 2015
Tracked Since
Feb 18, 2026