| Summary: | <www-apps/piwigo-2.9.3: Multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | voyageur |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | ~4 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
GLSAMaker/CVETool Bot
2017-12-04 02:00:07 UTC
@Maintainer please let us know when the tree is clean from vulnerable versions. Thank you CVE-2017-17827 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17827): Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions. CVE-2017-17826 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17826): The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration§ion=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it. CVE-2017-17825 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17825): The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it. CVE-2017-17824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17824): The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database. CVE-2017-17823 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17823): The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database. CVE-2017-17822 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17822): The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database. CVE-2017-17775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17775): Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request. CVE-2017-17774 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17774): admin/configuration.php in Piwigo 2.9.2 has CSRF. All CVEs listed in comment 3 are marked fixed upstream with 2.9.3, just added to tree. And I removed older vulnerable versions. CVE from comment 1 was found invalid from: https://github.com/Piwigo/Piwigo/issues/804 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf239ba44fd25f04635fe886187d3848fe391ab2 commit cf239ba44fd25f04635fe886187d3848fe391ab2 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2018-02-26 20:08:08 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2018-02-26 20:08:19 +0000 www-apps/piwigo: drop security vulnerable versions Bug: https://bugs.gentoo.org/639704 Package-Manager: Portage-2.3.24, Repoman-2.3.6 www-apps/piwigo/Manifest | 2 -- www-apps/piwigo/piwigo-2.9.1.ebuild | 43 ------------------------------------- www-apps/piwigo/piwigo-2.9.2.ebuild | 43 ------------------------------------- 3 files changed, 88 deletions(-)} |
