Harry Goodman

**Name of the Vulnerable Software and Affected Versions** Piwigo version 11.4.0 **Description** The issue allows for SQL Injection through the `order[0][dir]` parameter in the `admin/user list backend.php` endpoint. **Recommendations** For Piwigo version 11.4.0, as a temporary workaround, consider restricting access to the `admin/user list backend.php` endpoint until a patch is available. Avoid using the `order[0][dir]` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Piwigo LocalFilesEditor extension versions prior to 11.4.0.1 **Description** The issue allows for Local File Inclusion due to the lack of proper validation of the `file` parameter in the `show default.php` file. **Recommendations** For versions prior to 11.4.0.1, update to version 11.4.0.1 or later to resolve the issue.