U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): cpe:2.3:a:piwigo:lexiglot:2014-11-06:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 9 matching records.
Displaying matches 1 through 9.
Vuln ID Summary CVSS Severity
CVE-2014-8945

admin.php?page=projects in Lexiglot through 2014-11-20 allows command injection via username and password fields.

Published: June 01, 2020; 1:15:12 PM -0400 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2014-8944

Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, or XSS (Stored) via the admin.php?page=config install_name, intro_message, or new_file_content parameter.

Published: June 01, 2020; 1:15:12 PM -0400 		V4.0:(not available)
 V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2014-8943

Lexiglot through 2014-11-20 allows SSRF via the admin.php?page=projects svn_url parameter.

Published: June 01, 2020; 1:15:12 PM -0400 		V4.0:(not available)
 V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2014-8942

Lexiglot through 2014-11-20 allows CSRF.

Published: June 01, 2020; 1:15:12 PM -0400 		V4.0:(not available)
 V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2014-8941

Lexiglot through 2014-11-20 allows SQL injection via an admin.php?page=users&from_id= or admin.php?page=history&limit= URI.

Published: June 01, 2020; 1:15:12 PM -0400 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2014-8940

Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (names and details of projects) by visiting the /update.log URI.

Published: June 01, 2020; 1:15:12 PM -0400 		V4.0:(not available)
 V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2014-8939

Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (full path) via an include/smarty/plugins/modifier.date_format.php request if PHP has a non-recommended configuration that produces warning messages.

Published: June 01, 2020; 1:15:12 PM -0400 		V4.0:(not available)
 V3.1: 5.3 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2014-8938

Lexiglot through 2014-11-20 allows local users to obtain sensitive information by listing a process because the username and password are on the command line.

Published: June 01, 2020; 1:15:12 PM -0400 		V4.0:(not available)
 V3.1: 7.8 HIGH
V2.0: 2.1 LOW
CVE-2014-8937

Lexiglot through 2014-11-20 allows denial of service because api/update.php launches svn update operations that use a great deal of resources.

Published: June 01, 2020; 1:15:12 PM -0400 		V4.0:(not available)
 V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM