HIGH🇬🇧 English

CVE-2016-3735

CVSS 8.1v3.1pub. 2022-01-28upd. 2024-11-21

Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Piwigo

    APP
    Piwigo
    < 2.8.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Auth Bypass
CWE
Referencje

Powiązane podatności

CVE-2023-44393CRITICAL9.3ten sam produkt

Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scrip...

CVE-2023-33362CRITICAL9.8ten sam produkt

Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.

CVE-2023-33361CRITICAL9.8ten sam produkt

Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.

CVE-2020-19213CRITICAL9.8ten sam produkt

SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.

CVE-2021-32615CRITICAL9.8ten sam produkt

Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.