CVE-2014-4614

Piwigo < 2.6.2 - Cross-Site Request Forgery via Multiple Admin Methods

Title source: llm
STIX 2.1

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method.

References (3)

Core 3
Core References
Mailing List mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2014/q2/623
Vendor Advisory x_refsource_confirm
http://piwigo.org/bugs/view.php?id=0003055
Release Notes x_refsource_confirm
http://piwigo.org/releases/2.6.2

Scores

EPSS 0.0066
EPSS Percentile 47.1%

Details

CWE
CWE-352
Status published
Products (50)
piwigo/piwigo 1.0.0
piwigo/piwigo 1.0.1
piwigo/piwigo 1.0.2
piwigo/piwigo 1.1.0
piwigo/piwigo 1.2.0
piwigo/piwigo 1.2.1
piwigo/piwigo 1.3.0
piwigo/piwigo 1.3.1
piwigo/piwigo 1.3.2
piwigo/piwigo 1.3.3
... and 40 more
Published Jul 02, 2014
Tracked Since Feb 18, 2026