Cyber Resilience

CVE-2023-37270

HighPublic PoC

Published: 07 July 2023

Published
07 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.5921 98.3th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37270 is a high-severity SQL Injection (CWE-89) vulnerability in Piwigo Piwigo. Its CVSS base score is 7.6 (High).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Piwigo, an open source photo gallery application, contains a SQL injection vulnerability prior to version 13.8.0. The flaw resides in the administrator login endpoint that records user information; the SQL statement retrieving the HTTP User-Agent header fails to sanitize input, allowing arbitrary SQL execution. The issue is tracked as CWE-89 and carries a CVSS 3.1 score of 7.6.

An attacker who has already obtained low-privileged administrator credentials can supply a crafted User-Agent header during login to execute arbitrary SQL statements against the database, potentially resulting in information disclosure. No unauthenticated exploitation path is described.

The project’s security advisory and release notes for version 13.8.0 state that the vulnerability is fixed in that release. As an additional safeguard, the advisory recommends properly escaping any user-supplied values before embedding them in SQL statements.

The EPSS score for this CVE stands at 0.5921 with no material increase from its initial value.

EU & UK References

Vulnerability details

Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records…

more

user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

piwigo
piwigo
≤ 13.8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References