cbcvebase.
CVE-2023-33362
published 2023-05-23

CVE-2023-33362: Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.06%
94.6th percentile
Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.

Affected

1 ranges
VendorProductVersion rangeFixed in
piwigopiwigo

Detection & IOCsextracted from sources · hover to see the quote

url/admin.php?page=profile&user_id=' OR 1=1 --
path/admin.php
versionPiwigo 13.6.0
  • Monitor HTTP GET requests to /admin.php with the 'page=profile' parameter where 'user_id' contains SQL metacharacters such as single quotes, OR clauses, or comment sequences (-- or #).
  • The injection point is the 'user_id' parameter within the 'profile' page of the Piwigo admin interface; alert on any non-integer or SQL-syntax-bearing value supplied to this parameter.
  • Exploitation requires an authenticated admin session; correlate suspicious SQL injection attempts in /admin.php?page=profile with prior successful admin logins to identify post-auth abuse.
  • ·Exploitation requires prior authentication as an admin user; this is a post-authentication SQL injection, so network-level blocking alone is insufficient — admin account hygiene and MFA are critical mitigating controls.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.