Description
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.
Remediation
References
Related Vulnerabilities
PHP Other Vulnerability (CVE-2006-4625)
TYPO3 Permissions, Privileges, and Access Controls Vulnerability (CVE-2008-2717)
SharePoint CVE-2022-44690 Vulnerability (CVE-2022-44690)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-1830)
WordPress Plugin Users Ultra Membership Arbitrary File Upload (1.5.58)