HIGH🇵🇱 Wersja polska

CVE-2016-3735

CVSS 8.1v3.1pub. 2022-01-28upd. 2024-11-21

Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Piwigo

    APP
    Piwigo
    < 2.8.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2023-44393CRITICAL9.3ten sam produkt

Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scrip...

CVE-2023-33362CRITICAL9.8ten sam produkt

Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.

CVE-2023-33361CRITICAL9.8ten sam produkt

Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.

CVE-2020-19213CRITICAL9.8ten sam produkt

SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.

CVE-2021-32615CRITICAL9.8ten sam produkt

Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.