Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission,

 

Overview :
The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter.

CVE-2020-9468

security] ability to by-pass protection on photo edition #49

CVE-2020-9468 reported by Zak S.

Further, a malicious user can modify the value of the ‘image_id’ parameter to any existing image id. There are no access controls to prevent a user from manipulating information on images that are in albums to which they do not have access.

References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2021-4234 : OPENVPN ACCESS SERVER UP TO 2.10 AMPLIFICATION

CVE-2021-4234 : OPENVPN ACCESS SERVER UP TO 2.10 AMPLIFICATION

Description OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset

CVE-2022-31856 : NEWSLETTER MODULE ON OPENCART /INDEX.PHP ZEMEZ_NEWSLETTER_EMAIL SQL INJECTION

CVE-2022-31856 : NEWSLETTER MODULE ON OPENCART /INDEX.PHP ZEMEZ_NEWSLETTER_EMAIL SQL INJECTION

Description Newsletter Module v3.x was discovered to contain a SQL injection vulnerability via the zemez_newsletter_email parameter at /index.php. References https://www.exploit-db.com/exploits/50942

CVE-2022-34918 : LINUX KERNEL UP TO 5.18.9 USER NAMESPACE NF_TABLES_API.C NFT_SET_ELEM_INIT TYPE CONFUSION

CVE-2022-34918 : LINUX KERNEL UP TO 5.18.9 USER NAMESPACE NF_TABLES_API.C NFT_SET_ELEM_INIT TYPE CONFUSION

Description An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a