CVE-2023-37270
Published: 07 July 2023
Summary
CVE-2023-37270 is a high-severity SQL Injection (CWE-89) vulnerability in Piwigo Piwigo. Its CVSS base score is 7.6 (High).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Piwigo, an open source photo gallery application, contains a SQL injection vulnerability prior to version 13.8.0. The flaw resides in the administrator login endpoint that records user information; the SQL statement retrieving the HTTP User-Agent header fails to sanitize input, allowing arbitrary SQL execution. The issue is tracked as CWE-89 and carries a CVSS 3.1 score of 7.6.
An attacker who has already obtained low-privileged administrator credentials can supply a crafted User-Agent header during login to execute arbitrary SQL statements against the database, potentially resulting in information disclosure. No unauthenticated exploitation path is described.
The project’s security advisory and release notes for version 13.8.0 state that the vulnerability is fixed in that release. As an additional safeguard, the advisory recommends properly escaping any user-supplied values before embedding them in SQL statements.
The EPSS score for this CVE stands at 0.5921 with no material increase from its initial value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-41182
Vulnerability details
Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records…
more
user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.