CVE-2024-43018

Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.php and this same function is called by ws.php file at some point can be used for searching users in advanced way in /admin.php?page=user_list.

CVSS v3 6.4 MEDIUM

6.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Piwigo/Piwigo/issues/2197
https://github.com/inesmarcal/CVE-2024-43018
https://github.com/joaosilva21/CVE-2024-43018

Configurations

No configuration.

History

30 Jul 2025, 13:15

Type	Values Removed	Values Added
Summary		(es) Piwigo 13.8.0 y versiones anteriores son vulnerables a la inyección SQL en los parámetros max_level y min_register. Estos parámetros se utilizan en la función ws_user_gerList del archivo include\ws_functions\pwg.users.php, que es llamada por el archivo ws.php y puede utilizarse para buscar usuarios de forma avanzada en /admin.php?page=user_list.
References		() https://github.com/inesmarcal/CVE-2024-43018 -

29 Jul 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-29 20:15

Updated : 2025-07-30 13:15

NVD link : CVE-2024-43018

Mitre link : CVE-2024-43018

CVE.ORG link : CVE-2024-43018

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

6.4 /10