Skip to main content

Piwigo CVE-2014-4649

MEDIUM
SQL Injection (CWE-89)
2014-06-28 cve@mitre.org
6.5
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:L/Au:S/C:P/I:P/A:P
Attack Vector
Network
Attack Complexity
Low
Confidentiality
P
Integrity
P
Availability
P

Lifecycle Timeline

1
CVE Published
Jun 28, 2014 - 15:55 cve.org
MEDIUM 6.5

DescriptionCVE.org

SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field.

AnalysisAI

SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[]. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field. Affected products include: Piwigo. Version information: before 2.7.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

More in Piwigo

View all
CVE-2013-1469 MEDIUM POC
4.0 Mar 13

Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbit

CVE-2013-1468 HIGH POC
7.6 Mar 14

Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote att

CVE-2017-10682 CRITICAL POC
9.8 Jun 29

SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitra

CVE-2023-33362 CRITICAL POC
9.8 May 23

Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function. Rated critical severity (CVSS 9.8), this vul

CVE-2023-33361 CRITICAL POC
9.8 May 23

Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php. Rated critical severity (CVSS 9.8), this vulnera

CVE-2021-32615 CRITICAL POC
9.8 May 13

Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection. Rated critical severity (CVSS 9.8), this v

CVE-2019-13364 CRITICAL POC
9.6 Sep 13

admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing&#95

CVE-2019-13363 CRITICAL POC
9.6 Sep 13

admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mai

CVE-2017-10681 HIGH POC
8.8 Jun 29

Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentica

CVE-2017-10680 HIGH POC
8.8 Jun 29

Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentica

CVE-2017-10678 HIGH POC
8.8 Jun 29

Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentica

CVE-2017-17774 HIGH POC
8.8 Dec 20

admin/configuration.php in Piwigo 2.9.2 has CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

Share

CVE-2014-4649 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy