Lucene search

[email protected]NVD:CVE-2023-26876

HistoryApr 21, 2023 - 3:15 p.m.

CVE-2023-26876

2023-04-2115:15:07

CWE-89

[email protected]

web.nvd.nist.gov

sql injection

piwigo

remote attacker

arbitrary code

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.022 Low

EPSS

Percentile

89.5%

JSON

SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.

Affected configurations

NVD

Node

piwigopiwigoRange≤13.5.0

References

packetstormsecurity.com/files/172059/Piwigo-13.5.0-SQL-Injection.html

seclists.org/fulldisclosure/2023/Apr/13

gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693

piwigo.com

www.tempest.com.br

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.022 Low

EPSS

Percentile

89.5%

JSON

Related for NVD:CVE-2023-26876

cve1 prion1 packetstorm1 zdt1 osv1 cvelist1 metasploit1 rapid7blog1