Piwigo Cross Site Request Forgery And Path Traversal Vulnerabilities Network Vulnerability

Summary

This host is installed with Piwigo and is prone to cross site request forgery and path traversal vulnerabilities.

Impact

Successful exploitation will allow remote attackers to create arbitrary PHP file or to retrieve and delete arbitrary files in the context of the affected application. Impact Level: Application

Solution

Upgrade to Piwigo version 2.4.7 For updates refer to http://piwigo.org/releases/2.4.7

Insight

- Flaw in the LocalFiles Editor plugin, it does not require multiple steps or explicit confirmation for sensitive transactions. - Input passed via 'dl' parameter to install.php is not properly sanitized before being used.

Affected

Piwigo version 2.4.6 and prior

References

http://osvdb.org/90357
http://osvdb.org/90504
http://seclists.org/bugtraq/2013/Feb/152
http://www.exploit-db.com/exploits/24561
http://www.htbridge.com/advisory/HTB23144

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-1468, CVE-2013-1469

CVSS	Base Score: 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C

Related Vulnerabilities

Adobe ColdFusion Multiple Vulnerabilities-01 May-2014
AlefMentor Multiple SQL Injection Vulnerabilities
Astium VoIP PBX SQL Injection Vulnerability
Apache Tomcat Windows Installer Privilege Escalation Vulnerability
Adiscon LogAnalyzer Multiple SQL Injection and XSS Vulnerabilities

Piwigo Cross Site Request Forgery and Path Traversal Vulnerabilities

Take action and discover your vulnerabilities