Summary: | www-apps/piwigo: SQL injections, XSS | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | trivial | CC: | voyageur |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/Piwigo/Piwigo/issues/1469 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=891971 | ||
Whiteboard: | ~4 [??] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2021-12-08 19:37:27 UTC
Waiting on the upstream discussion to progress indeed, as it mentions 11.5 explicitely it may just end up being a cleanup bug (we have 12.x versions in tree) CVE-2021-40882 (https://github.com/Piwigo/Piwigo/issues/1477): A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location. CVE-2021-45357 (https://github.com/Piwigo/Piwigo/issues/1582): Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99818f7a433a75e3350b05432b90104eff9d3556 commit 99818f7a433a75e3350b05432b90104eff9d3556 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2022-02-20 15:50:47 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2022-02-20 15:50:47 +0000 www-apps/piwigo: clean old versions https://github.com/Piwigo/Piwigo/issues/1582 mentions all versions <=12.1.0 have a XSS vulnerability Bug: https://bugs.gentoo.org/828581 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/piwigo/Manifest | 3 --- www-apps/piwigo/piwigo-11.5.0-r1.ebuild | 44 --------------------------------- www-apps/piwigo/piwigo-12.0.0.ebuild | 44 --------------------------------- www-apps/piwigo/piwigo-12.1.0.ebuild | 44 --------------------------------- 4 files changed, 135 deletions(-) CVE-2022-24620 (https://github.com/Piwigo/Piwigo/issues/1605): Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access. CVE-2022-26266 (https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md): Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php. CVE-2022-26267 (https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md): Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php. CVE-2021-40678 (https://github.com/Piwigo/Piwigo/issues/1476): In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit. Still hard to track the vulnerabilities in it, just updating status as many of the mentioned versions have been dropped for a while (and now only 13.7.0 will be in tree for #847979) |