CVE-2017-9463: SQL Injection
First published: Wed Jun 14 2017(Updated: )
The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Piwigo | <=2.9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-9463?
CVE-2017-9463 has been classified as a medium severity SQL injection vulnerability.
How do I fix CVE-2017-9463?
To fix CVE-2017-9463, upgrade Piwigo to version 2.9.1 or later, where the vulnerability is patched.
Who is affected by CVE-2017-9463?
Users of Piwigo versions 2.9.0 and potentially earlier versions are affected by CVE-2017-9463.
What can attackers do with CVE-2017-9463?
Attackers can exploit CVE-2017-9463 to perform SQL injection attacks, potentially exposing sensitive database information.
Is CVE-2017-9463 a remote vulnerability?
Yes, CVE-2017-9463 is a remote SQL injection vulnerability that requires authentication to exploit.
- agent/references
- agent/severity
- agent/author
- agent/weakness
- agent/description
- agent/type
- agent/softwarecombine
- agent/last-modified-date
- agent/remedy
- agent/first-publish-date
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/event
- vendor/piwigo
- canonical/piwigo
- version/piwigo/2.9.0