SQL injection in Piwigo - CVE-2023-37270

 

SQL injection in Piwigo - CVE-2023-37270

Published: July 7, 2023 / Updated: April 25, 2026


Vulnerability identifier: #VU127936
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-37270
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Piwigo.org
Affected software:
Piwigo

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary SQL statements.

The vulnerability exists due to SQL injection in the /identification.php endpoint when recording user information during administrator screen login through the User-Agent header. A remote user can send a specially crafted login request with a malicious User-Agent header to execute arbitrary SQL statements.

The issue is reachable by users who can log in to the administrator screen, including users with low privileges.


How to mitigate CVE-2023-37270

Install security update from vendor's website.

Sources