SQL Injection Vulnerability in Piwigo by Piwigo Team
CVE-2023-26876

8.8HIGH

Key Information:

Vendor: Piwigo
Status: Piwigo
Vendor: CVE Published:; 21 April 2023

What is CVE-2023-26876?

A SQL injection vulnerability exists in Piwigo versions 13.5.0 and earlier, which permits a remote attacker to execute arbitrary code. This exploitation occurs through improper handling of user input in the 'filter_user_id' parameter within the admin.php?page=history&filter_image_id=&filter_user_id endpoint. Attackers can manipulate this input to craft malicious queries, leading to unauthorized access and potentially compromising the application.

References

https://www.tempest.com.br

https://piwigo.com

https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b...

EPSS Score

37% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2023
Vulnerability Reserved
Feb 27, 2023