CVE-2016-10514 Information

Description

url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a \ character or a URL beginning with a substring other than the http:// or https:// substring.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Reference

http://piwigo.org/releases/2.8.3 https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57 https://github.com/Piwigo/Piwigo/issues/547 url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a
character or a URL beginning with a substring other than the http:// or https:// substring.

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

6.5