Piwigo SQL Injection vulnerability in "User-Agent"
CVE-2023-37270

7.6HIGH

Key Information:

Vendor

Piwigo

Status
Piwigo
Vendor
CVE Published:
7 July 2023

What is CVE-2023-37270?

Piwigo, an open-source photo gallery software, has a SQL Injection vulnerability in its administrator login interface prior to version 13.8.0. This vulnerability allows authenticated users, including those with low privileges, to execute arbitrary SQL statements through the vulnerable HTTP Header User-Agent. Exploiting this flaw could lead to information leakage from the database, potentially compromising sensitive data. It is advised that users upgrade to version 13.8.0 or later to mitigate this risk and ensure that any SQL statements executed with user-supplied parameters are properly sanitized.

Affected Version(s)

Piwigo < 13.8.0

References

https://github.com/Piwigo/Piwigo/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/Piwigo/Piwigo/commit/978425527d6c11388...
x_refsource_MISC
https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8...
x_refsource_MISC

EPSS Score

69% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.