SQL Injection Vulnerability in Piwigo Software by Piwigo Team
CVE-2021-32615

9.8CRITICAL

Key Information:

Vendor: Piwigo
Status: Piwigo
Vendor: CVE Published:; 13 May 2021

What is CVE-2021-32615?

Piwigo version 11.4.0 is susceptible to an SQL Injection vulnerability that occurs in the user_list_backend.php file. This flaw enables an authenticated user to manipulate database queries by injecting arbitrary SQL code through the order[0][dir] parameter. Attackers could potentially exploit this vulnerability to retrieve sensitive information from the database or disrupt normal operations. Adequate validation and sanitization of user inputs are crucial to mitigate this risk.

References

https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0f...

x_refsource_CONFIRM

https://github.com/Piwigo/Piwigo/issues/1410

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2021
Vulnerability Reserved
May 12, 2021