CVE-2017-9463

Name of the Vulnerable Software and Affected Versions Piwigo versions prior to 2.9.0

Description The issue allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user list backend.php component is affected, specifically the values of the iDisplayStart and iDisplayLength parameters, which are not sanitized and are used to construct a SQL query to retrieve a list of registered users.

Recommendations For Piwigo version 2.9.0 and possibly prior, as a temporary workaround, consider sanitizing the iDisplayStart and iDisplayLength parameters in the user list backend.php component to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.