CVE-2023-33362
published 2023-05-23CVE-2023-33362: Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.06%
94.6th percentile
Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| piwigo | piwigo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /admin.php with the 'page=profile' parameter where 'user_id' contains SQL metacharacters such as single quotes, OR clauses, or comment sequences (-- or #). ↗
- →The injection point is the 'user_id' parameter within the 'profile' page of the Piwigo admin interface; alert on any non-integer or SQL-syntax-bearing value supplied to this parameter. ↗
- →Exploitation requires an authenticated admin session; correlate suspicious SQL injection attempts in /admin.php?page=profile with prior successful admin logins to identify post-auth abuse. ↗
- ·Exploitation requires prior authentication as an admin user; this is a post-authentication SQL injection, so network-level blocking alone is insufficient — admin account hygiene and MFA are critical mitigating controls. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2023-05-23
Published