PT-2017-15028 · Piwigo · Piwigo

Sahil Dhar

·

Published

2017-12-21

·

Updated

2018-01-03

·

CVE-2017-17823

CVSS v3.1

4.9

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Piwigo version 2.9.2
Description The Configuration component of Piwigo is vulnerable to SQL Injection via the order by array parameter in the admin/configuration.php file. An attacker can exploit this to gain access to the data in a connected MySQL database.
Recommendations For Piwigo version 2.9.2, avoid using the order by array parameter in the admin/configuration.php file until a patch is available. As a temporary workaround, consider restricting access to the admin/configuration.php file to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2017-17823

Affected Products

Piwigo