CVE-2014-9115
Piwigo <2.5.5, <2.6.x before 2.6.4, <2.7.x before 2.7.2 - SQL Injec...
Title source: llmDescription
SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.
Exploits (1)
exploitdb
WRITEUP
by Manuel García Cárdenas · textwebappsphp
https://www.exploit-db.com/exploits/35221
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
http://piwigo.org/forum/viewtopic.php?id=24850
Patch x_refsource_confirm
http://piwigo.org/releases/2.7.2
Exploit mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Nov/23
Various Sources x_refsource_confirm
http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php
Scores
EPSS
0.0058
EPSS Percentile
69.0%
Details
CWE
CWE-89
Status
published
Products (7)
piwigo/piwigo
2.6.0
piwigo/piwigo
2.6.1
piwigo/piwigo
2.6.2
piwigo/piwigo
2.6.3
piwigo/piwigo
2.7.0 (5 CPE variants)
piwigo/piwigo
2.7.1
piwigo/piwigo
< 2.5.5
Published
Dec 23, 2014
Tracked Since
Feb 18, 2026