CVE-2021-40313: Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php. Not sure about a fix, asked for clarification in the issue.
Waiting on the upstream discussion to progress indeed, as it mentions 11.5 explicitely it may just end up being a cleanup bug (we have 12.x versions in tree)
CVE-2021-40882 (https://github.com/Piwigo/Piwigo/issues/1477): A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.
CVE-2021-45357 (https://github.com/Piwigo/Piwigo/issues/1582): Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99818f7a433a75e3350b05432b90104eff9d3556 commit 99818f7a433a75e3350b05432b90104eff9d3556 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2022-02-20 15:50:47 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2022-02-20 15:50:47 +0000 www-apps/piwigo: clean old versions https://github.com/Piwigo/Piwigo/issues/1582 mentions all versions <=12.1.0 have a XSS vulnerability Bug: https://bugs.gentoo.org/828581 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/piwigo/Manifest | 3 --- www-apps/piwigo/piwigo-11.5.0-r1.ebuild | 44 --------------------------------- www-apps/piwigo/piwigo-12.0.0.ebuild | 44 --------------------------------- www-apps/piwigo/piwigo-12.1.0.ebuild | 44 --------------------------------- 4 files changed, 135 deletions(-)
CVE-2022-24620 (https://github.com/Piwigo/Piwigo/issues/1605): Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access.
CVE-2022-26266 (https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md): Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php. CVE-2022-26267 (https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md): Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.
CVE-2021-40678 (https://github.com/Piwigo/Piwigo/issues/1476): In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.
Still hard to track the vulnerabilities in it, just updating status as many of the mentioned versions have been dropped for a while (and now only 13.7.0 will be in tree for #847979)
