Description

admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.

Remediation

References

CVE-2016-10105

Related Vulnerabilities

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-5339)

WordPress Plugin VikBooking Hotel Booking Engine & PMS Cross-Site Scripting (1.5.8)

ProjectSend Improper Neutralization of Formula Elements in a CSV File Vulnerability (CVE-2018-7201)

WordPress Plugin WP TripAdvisor Review Slider SQL Injection (10.7)

WordPress Plugin JC Coupon Cross-Site Scripting (2.5)

Severity

Critical

Classification

CVE-2016-10105 CWE-284 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities