CVE-2023-26876

Name of the Vulnerable Software and Affected Versions Piwigo versions prior to 13.5.0

Description A SQL injection issue allows a remote attacker to execute arbitrary code via the filter user id parameter to the "admin.php?page=history&filter image id=&filter user id" endpoint.

Recommendations For versions prior to 13.5.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the "admin.php?page=history&filter image id=&filter user id" endpoint until a patch is available. Avoid using the filter user id parameter in the affected endpoint until the issue is resolved.