Summary
This host is installed with Piwigo and is prone to cross site request forgery and path traversal vulnerabilities.
Impact
Successful exploitation will allow remote attackers to create arbitrary PHP file or to retrieve and delete arbitrary files in the context of the affected application.
Impact Level: Application
Solution
Upgrade to Piwigo version 2.4.7
For updates refer to http://piwigo.org/releases/2.4.7
Insight
- Flaw in the LocalFiles Editor plugin, it does not require multiple steps or explicit confirmation for sensitive transactions.
- Input passed via 'dl' parameter to install.php is not properly sanitized before being used.
Affected
Piwigo version 2.4.6 and prior
References
Severity
Classification
-
CVE CVE-2013-1468, CVE-2013-1469 -
CVSS Base Score: 7.6
AV:N/AC:H/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- 4Images <= 1.7.1 Directory Traversal Vulnerability
- Advanced Guestbook Index.PHP SQL Injection Vulnerability
- Apache Axis2 Document Type Declaration Processing Security Vulnerability
- appRain CMF SQL Injection And Cross Site Scripting Vulnerabilities
- Apache Struts2 Redirection and Security Bypass Vulnerabilities