Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.

phrenetically Overview :
Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.

CVE-2020-9467

stored XSS with pwg.images.setInfo #1168

file param. No worry with an admin, but this method can be used by a community user as well.

Originally reported by Zak S. see CVE-2020-9467

References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
MITRE Corporation

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2024-20381 : CISCO IOS XR JSON-RPC API IMPROPER AUTHORIZATION

CVE-2024-20381 : CISCO IOS XR JSON-RPC API IMPROPER AUTHORIZATION

Description A vulnerability in the JSON-RPC API feature in ConfD that is used by the web-based management interfaces of Cisco

CVE-2024-44466 : COMFAST CF-XR11 2.7.2 HTTP POST REQUEST /USR/BIN/WEBMGNT SUB_424CB4 IFACE COMMAND INJECTION

CVE-2024-44466 : COMFAST CF-XR11 2.7.2 HTTP POST REQUEST /USR/BIN/WEBMGNT SUB_424CB4 IFACE COMMAND INJECTION

Description COMFAST CF-XR11 V2.7.2 has a command injection vulnerability in function sub_424CB4. Attackers can send POST request messages to /usr/bin/webmgnt

CVE-2024-45013 : LINUX KERNEL UP TO 6.10.6 NVME_UNINIT_CTRL USE AFTER FREE

CVE-2024-45013 : LINUX KERNEL UP TO 6.10.6 NVME_UNINIT_CTRL USE AFTER FREE

Description In the Linux kernel, the following vulnerability has been resolved: nvme: move stopping keep-alive into nvme_uninit_ctrl() Commit 4733b65d82bd (“nvme: