Re: Piwigo version: 2.93

Hello,

Piwigo has some serious vulnerabilities reported in the US government's National Vulnerability Database. That agency is probably slow to update changes, so I am asking you directly. Have the following Piwigo (and plugin) problems been fixed?

Many Thanks,
C E Tims

------

CVE-2018-7724
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
Published: March 06, 2018

CVE-2018-7723
The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.
Published: March 06, 2018

CVE-2018-7722
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.
Published: March 06, 2018

CVE-2017-9426
ws.php in the Facetag extension 0.0.3 for Piwigo allows SQL injection via the imageId parameter in a facetag.changeTag or facetag.listTags action.
Published: February 25, 2018
V3: 9.8 CRITICAL
V2: 7.5 HIGH

CVE-2017-9425
The Facetag extension 0.0.3 for Piwigo allows XSS via the name parameter to ws.php in a facetag.changeTag action.
Published: February 25, 2018

MORE AT SOURCE: https://nvd.nist.gov/vuln/search/result … ery=piwigo

Last edited by cetims (2018-04-19 17:43:22)