[Japanese]

JVNDB-2014-000094

Piwigo vulnerable to SQL injection

Overview

Piwigo is a software to manage and host image files on the web. Piwigo contains a SQL injection vulnerability.

Yuji Tounai of bogus.jp reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Piwigo
  • Piwigo versions 2.6.3 and earlier

Impact

An authenticated attacker may obtain information stored in the database.
Solution

[Apply a patch]
Apply the patch according to the information provided by the developer.

According to the developer, this issue was addressed in Changeset 28678.
Vendor Information

Piwigo
CWE (What is CWE?)

  1. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-4649
References

  1. JVN : JVN#87962145
  2. National Vulnerability Database (NVD) : CVE-2014-4649
Revision History

  • [2014/08/08]
      Web page was published

Date Public2014/08/08
Date First Published2014/08/08
Date Last Updated2014/08/08