CVE-2017-17824

Name of the Vulnerable Software and Affected Versions Piwigo version 2.9.2

Description The issue concerns SQL Injection in the Batch Manager component of Piwigo. Specifically, the element ids parameter in the "admin/batch manager unit.php" endpoint is vulnerable when in unit mode. This allows an attacker to potentially gain access to the data in a connected MySQL database.

Recommendations For Piwigo version 2.9.2, consider restricting access to the "admin/batch manager unit.php" endpoint until a patch is available. As a temporary workaround, avoid using the element ids parameter in unit mode to minimize the risk of exploitation.