CVE-2016-3735
First published: Fri Jan 28 2022(Updated: )
Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Piwigo Piwigo | <2.8.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2016-3735?
CVE-2016-3735 is a vulnerability in the Piwigo image gallery software that allows an unauthenticated attacker to take over an account.
What is the severity of CVE-2016-3735?
CVE-2016-3735 has a severity of 8.1 which is considered high.
How does CVE-2016-3735 affect Piwigo software?
CVE-2016-3735 affects Piwigo software versions up to and excluding 2.8.1.
How can an attacker exploit CVE-2016-3735?
An attacker can exploit CVE-2016-3735 by predicting the output of the mt_rand function used to generate password reset tokens.
Is there a fix for CVE-2016-3735?
Yes, Piwigo software versions after 2.8.1 have addressed the vulnerability. Users are advised to update to the latest version.
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/type
- agent/event
- agent/description
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/piwigo
- canonical/piwigo piwigo