SB2023070743 - Multiple vulnerabilities in Piwigo
Published: July 7, 2023 Updated: April 26, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) SQL injection (CVE-ID: CVE-2023-37270)
The vulnerability allows a remote user to execute arbitrary SQL statements.
The vulnerability exists due to SQL injection in the /identification.php endpoint when recording user information during administrator screen login through the User-Agent header. A remote user can send a specially crafted login request with a malicious User-Agent header to execute arbitrary SQL statements.
The issue is reachable by users who can log in to the administrator screen, including users with low privileges.
The vulnerability allows a remote attacker to execute arbitrary script code in an administrator's browser.
The vulnerability exists due to improper neutralization of script-related html tags in /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here] when handling a crafted plugin_id parameter in a request. A remote attacker can send a specially crafted URL to execute arbitrary script code in an administrator's browser.
User interaction is required, and the victim must be logged in as an administrator and visit the crafted URL.
3) Cross-site scripting (CVE-ID: N/A)
The vulnerability allows a remote user to execute arbitrary scripts in the browsers of users who access the tag page.
The vulnerability exists due to cross-site scripting in the Tags page of the administrator screen when handling tag names added through the pwg.tags.add method. A remote user can add a crafted tag to execute arbitrary scripts in the browsers of users who access the tag page.
Exploitation requires access to the administrator screen with permission to access "Photos" and add tags.
Remediation
Install update from vendor's website.