CVE-2008-3481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3481): themes/sample/theme.php in Coppermine Photo Gallery (CPG) 1.4.18 and earlier allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message.
Created attachment 162581 [details] coppermine poc
Created attachment 162585 [details] CVE-2008-3481.patch
CVE-2008-3486 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3486): Directory traversal vulnerability in the user_get_profile function in include/functions.inc.php in Coppermine Photo Gallery (CPG) 1.4.18 and earlier, when the charset is utf-8, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang part of serialized data in an _data cookie.
Added coppermine-1.4.19, removed 1.4.16, 1.4.18, unstable on all arches, webapps done.
Thanks, closing without GLSA.