vendor:
Piwigo
by:
Manuel García Cárdenas
N/A
CVSS
N/A
Blind SQL Injection
89
CWE
Product Name: Piwigo
Affected Version From: Piwigo <= v2.6.0
Affected Version To: Piwigo <= v2.6.0
Patch Exists: YES
Related CWE: N/A
CPE: a:piwigo:piwigo
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Linux Ubuntu 10.04 (Lucid Lynx)
2014
MGC ALERT 2014-001
This bug was found using the portal without authentication. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code in the variable 'rate' on the page 'picture.php'.
Mitigation:
Upgrade to the latest version of Piwigo.
