Description

Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed.

Remediation

References

CVE-2017-10679

Related Vulnerabilities

WordPress Plugin Profile Extra Fields by BestWebSoft Cross-Site Scripting (1.0.7)

WordPress Plugin YaMaps for WordPress Cross-Site Scripting (0.6.25)

WordPress Improper Neutralization of Special Elements used in a Command ('Command Injection') Vulnerability (CVE-2016-10045)

MySQL Improper Access Control Vulnerability (CVE-2016-8288)

WordPress Plugin Product Import Export for WooCommerce Cross-Site Request Forgery (1.7.4)

Severity

High

Classification

CVE-2017-10679 CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities