CVE-2017-17822

Name of the Vulnerable Software and Affected Versions Piwigo version 2.9.2

Description The issue concerns SQL Injection via the sSortDir 0 parameter in the List Users API, specifically affecting the /admin/user list backend.php endpoint. This allows an attacker to potentially gain access to the data in a connected MySQL database.

Recommendations For Piwigo version 2.9.2, consider restricting access to the /admin/user list backend.php endpoint until a patch is available. As a temporary workaround, avoid using the sSortDir 0 parameter in the affected API endpoint to minimize the risk of exploitation.