Description

The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.

Remediation

References

CVE-2017-17823

Related Vulnerabilities

Internet Information Services Improper Authentication Vulnerability (CVE-2009-1122)

WordPress Plugin Store Locator for WordPress with Google Maps-LotsOfLocales SQL Injection (3.11)

WordPress Plugin Backup and Staging by WP Time Capsule PHP Object Injection (1.21.9)

WordPress Plugin WP AutoComplete Search SQL Injection (1.0.4)

WordPress Plugin Blogtopdf Local File Inclusion (1.0.2)

Severity

Medium

Classification

CVE-2017-17823 CWE-138 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities