Description

admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).

Remediation

References

CVE-2016-10084

Related Vulnerabilities

WordPress Plugin MailPoet Newsletters (Previous) Cross-Site Scripting (2.6.11)

Jenkins Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2018-6356)

WordPress Plugin Customer Service Software & Support Ticket System Cross-Site Scripting (5.10.3)

WordPress Plugin Ultimate Reviews PHP Object Injection (2.0.18)

e107 Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2018-15901)

Severity

High

Classification

CVE-2016-10084 CWE-284 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities