PT-2008-3825 · Imgallery · Imgallery

Condemned

Published

2008-05-19

Updated

2017-09-29

CVE-2008-2337

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: IMGallery version 2.5

Description: The issue allows remote attackers to execute arbitrary SQL commands due to multiple SQL injection vulnerabilities. This is possible when magic quotes gpc is disabled. The vulnerabilities can be exploited via the kategoria parameter to "galeria.php", and the id phot parameter to "popup/koment.php" and "popup/opis.php".

Recommendations: For IMGallery version 2.5, consider disabling the kategoria and id phot parameters in the affected API endpoints until a patch is available. Restrict access to "galeria.php", "popup/koment.php", and "popup/opis.php" to minimize the risk of exploitation. Avoid using the kategoria and id phot parameters in the respective endpoints until the issue is resolved.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2008-2337

Affected Products

Imgallery

PT-2008-3825 · Imgallery · Imgallery

CVE-2008-2337

Weakness Enumeration

Related Identifiers

Affected Products

References · 5