An SQL injection has been discovered in the administration panel of Piwigo v2.9.5. The vulnerability allows remote attackers that are authenticated as administrator to inject SQL code into a query and display. This could result in full information disclosure.
The vulnerability was found in the 'delete' method in admin/group_list.php, because it does not validate and filter the '$group' parameter when it gets the parameters. And the vulnerability could query any data in the database and display it on the page.
In the figure, I obtained the encrypted password of the user table.
The text was updated successfully, but these errors were encountered:
An SQL injection has been discovered in the administration panel of Piwigo v2.9.5. The vulnerability allows remote attackers that are authenticated as administrator to inject SQL code into a query and display. This could result in full information disclosure.
The vulnerability was found in the 'delete' method in admin/group_list.php, because it does not validate and filter the '$group' parameter when it gets the parameters. And the vulnerability could query any data in the database and display it on the page.
In the figure, I obtained the encrypted password of the user table.


The text was updated successfully, but these errors were encountered: