CVE-2021-40317: Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter. This was closed by the reporter as completed, but without any reference to a fix.
This can probably be included in bug #828581 ? It has several CVEs including SQL injections (and similar to others the github issues are marked as fixed without clear link to fix patch/fixed version...)
CVE-2021-40553 (https://github.com/Yang9999999/vuln/blob/main/README.md): piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor. No link to a report upstream in this writeup.
To be on the safe side I only left just-released 12.3.0 in tree: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88b0c6b9e0a221c06555546615437e8050f8e8e4 (this bug and also #828581)
CVE-2022-32297 (https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md): Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function. Of course, despite the CVE description, the writeup says <12.2.0 is affected. I've asked the person to point out the patch: https://github.com/sth276/research/issues/1
CVE-2022-37183 (https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0): Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list. No reference to any upstream report or fix. This reads a bit like the stupid Grafana CVEs, where the "researcher" finds something they think looks like a problem, makes an "exploit" which looks like it exploits a different type of vulnerability, but requests a CVE for the original "problem". From URL: "The attacker can trick a user to visit some crafted URL that is connected exactly to this system." This is typical of XSS exploits, getting someone to click on a crafted URL gets a victim to run attacker-crafted JS in the context of the victim's browser/session. "Then he can trick the user to visit some malicious address that the victim will think is connected with the original web address it depending on the scenario." But.. this reads a bit like they've found an open redirect. Nothing in the writeup looks like the "victim" is redirected to a different website, and no XSS is demonstrated. Putting garbage in the URL does indeed make some garbage appear on the page, but that's not the same as XSS.
CVE-2023-26876 (https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693) SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint. Of course, SQL injection isn't really "arbitrary code execution"...
I guess that last one is last mentioned issue in https://piwigo.org/release-13.7.0 1876 / Security [History page] SQL injection issue found in 13.5.0 (2 other SQL injections are mentioned) In all cases I am adding 13.7.0 and dropping previous versions
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6d53ca50646592077760070f329bb3175d035cf commit a6d53ca50646592077760070f329bb3175d035cf Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2023-05-12 14:58:00 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2023-05-12 14:58:39 +0000 www-apps/piwigo: 13.7.0 bump, drop older versions for security vulns Bug: https://bugs.gentoo.org/847979 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/piwigo/Manifest | 3 +- www-apps/piwigo/piwigo-13.6.0.ebuild | 44 ---------------------- .../{piwigo-13.5.0.ebuild => piwigo-13.7.0.ebuild} | 0 3 files changed, 1 insertion(+), 46 deletions(-)
