Main Vulnerability Database Vulnerabilities #VU127936

SQL injection in Piwigo - CVE-2023-37270

Published: July 7, 2023 / Updated: April 25, 2026

Vulnerability identifier: #VU127936

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-37270

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Piwigo

Software vendor:
Piwigo.org

Description

The vulnerability allows a remote user to execute arbitrary SQL statements.

The vulnerability exists due to SQL injection in the /identification.php endpoint when recording user information during administrator screen login through the User-Agent header. A remote user can send a specially crafted login request with a malicious User-Agent header to execute arbitrary SQL statements.

The issue is reachable by users who can log in to the administrator screen, including users with low privileges.

Remediation

Install security update from vendor's website.

External links

https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx

SQL injection in Piwigo - CVE-2023-37270

Description

Remediation

External links

Please verify you're human