CVE-2023-37270 — HIGH (7.6)

Q: How severe is CVE-2023-37270?

CVE-2023-37270 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-37270?

Check the references section above for vendor advisories and patch information. Affected products include: Piwigo Piwigo.

Vulnerability Description

Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.

CVSS Score

7.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Piwigo	Piwigo	< 13.8.0

Related Weaknesses (CWE)

CWE-89

References

https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/iProduct
https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/iProduct
https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761aPatch
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcxExploitThird Party Advisory
https://piwigo.org/release-13.8.0Release Notes
https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/iProduct
https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/iProduct
https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761aPatch
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcxExploitThird Party Advisory
https://piwigo.org/release-13.8.0Release Notes

FAQ

What is CVE-2023-37270?

CVE-2023-37270 is a vulnerability with a CVSS score of 7.6 (HIGH). Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header ...

How severe is CVE-2023-37270?

CVE-2023-37270 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-37270?

Check the references section above for vendor advisories and patch information. Affected products include: Piwigo Piwigo.