Overview :
The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter.


security] ability to by-pass protection on photo edition #49

CVE-2020-9468 reported by Zak S.

Further, a malicious user can modify the value of the ‘image_id’ parameter to any existing image id. There are no access controls to prevent a user from manipulating information on images that are in albums to which they do not have access.

Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.