CVE-2017-16893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16893): The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application.
@Maintainer please let us know when the tree is clean from vulnerable versions. Thank you
CVE-2017-17827 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17827): Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions. CVE-2017-17826 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17826): The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration§ion=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it. CVE-2017-17825 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17825): The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it. CVE-2017-17824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17824): The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database. CVE-2017-17823 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17823): The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database. CVE-2017-17822 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17822): The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database. CVE-2017-17775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17775): Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request. CVE-2017-17774 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17774): admin/configuration.php in Piwigo 2.9.2 has CSRF.
All CVEs listed in comment 3 are marked fixed upstream with 2.9.3, just added to tree. And I removed older vulnerable versions. CVE from comment 1 was found invalid from: https://github.com/Piwigo/Piwigo/issues/804
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf239ba44fd25f04635fe886187d3848fe391ab2 commit cf239ba44fd25f04635fe886187d3848fe391ab2 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2018-02-26 20:08:08 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2018-02-26 20:08:19 +0000 www-apps/piwigo: drop security vulnerable versions Bug: https://bugs.gentoo.org/639704 Package-Manager: Portage-2.3.24, Repoman-2.3.6 www-apps/piwigo/Manifest | 2 -- www-apps/piwigo/piwigo-2.9.1.ebuild | 43 ------------------------------------- www-apps/piwigo/piwigo-2.9.2.ebuild | 43 ------------------------------------- 3 files changed, 88 deletions(-)}
