Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Tinywebgallery Subscribe
Total 13 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-24953 1 Tinywebgallery 1 Advanced Iframe 2022-03-11 4.3 MEDIUM 6.1 MEDIUM
The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
CVE-2013-2631 1 Tinywebgallery 1 Tinywebgallery 2020-02-05 5.0 MEDIUM 5.3 MEDIUM
TinyWebGallery (TWG) 1.8.9 and earlier contains a full path disclosure vulnerability which allows remote attackers to obtain sensitive information through the parameters "twg_browserx" and "twg_browsery" in the page image.php.
CVE-2012-2931 1 Tinywebgallery 1 Tinywebgallery 2020-01-22 6.5 MEDIUM 7.2 HIGH
PHP code injection in TinyWebGallery before 1.8.8 allows remote authenticated users with admin privileges to inject arbitrary code into the .htusers.php file.
CVE-2006-1802 1 Tinywebgallery 1 Tinywebgallery 2018-10-18 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in index.php in TinyWebGallery 1.3 and 1.4 allows remote attackers to inject arbitrary web script or HTML via the twg_album parameter.
CVE-2006-4166 1 Tinywebgallery 1 Tinywebgallery 2018-10-17 7.5 HIGH N/A
PHP remote file inclusion vulnerability in TinyWebGallery 1.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the image parameter to (1) image.php or (2) image.php2.
CVE-2009-1911 2 Claudio Klingler, Tinywebgallery 2 Quixplorer, Tinywebgallery 2018-10-10 6.8 MEDIUM N/A
Directory traversal vulnerability in .include/init.php (aka admin/_include/init.php) in QuiXplorer 2.3.2 and earlier, as used in TinyWebGallery (TWG) 1.7.6 and earlier, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter to admin/index.php.
CVE-2014-5014 1 Tinywebgallery 1 Wordpress Flash Uploader 2018-05-25 7.5 HIGH 9.8 CRITICAL
The WordPress Flash Uploader plugin before 3.1.3 for WordPress allows remote attackers to execute arbitrary commands via vectors related to invalid characters in image_magic_path.
CVE-2017-16635 1 Tinywebgallery 1 Tinywebgallery 2017-11-29 3.5 LOW 5.4 MEDIUM
In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create.
CVE-2012-5347 1 Tinywebgallery 1 Tinywebgallery 2017-08-28 7.5 HIGH N/A
TinyWebGallery 1.8.3 allows remote attackers to execute arbitrary code via shell metacharacters in the command parameter to (1) inc/filefunctions.inc or (2) info.php.
CVE-2007-4958 1 Tinywebgallery 1 Tinywebgallery 2017-07-28 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) 1.6.3.4 allow remote attackers to inject arbitrary web script or HTML via the URI for (1) index.php, (2) i_frames/i_login.php, and (3) i_frames/i_top_tags.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2012-2932 1 Tinywebgallery 1 Tinywebgallery 2015-10-05 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the selitems[] parameter in a (1) copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/index.php.
CVE-2012-2930 1 Tinywebgallery 1 Tinywebgallery 2015-04-27 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers.php via the user parameter to admin/index.php.
CVE-2011-3810 1 Tinywebgallery 1 Tinywebgallery 2012-05-20 5.0 MEDIUM N/A
TinyWebGallery (TWG) 1.8.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by i_frames/i_register.php.