CVE-2014-9115

SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
VendorProductVersion
piwigopiwigo
𝑥
≤ 2.5.5
piwigopiwigo
2.6.0
piwigopiwigo
2.6.1
piwigopiwigo
2.6.2
piwigopiwigo
2.6.3
piwigopiwigo
2.7.0
piwigopiwigo
2.7.0:beta1
piwigopiwigo
2.7.0:beta2
piwigopiwigo
2.7.0:rc1
piwigopiwigo
2.7.0:rc2
piwigopiwigo
2.7.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
piwigo
zesty
dne
yakkety
dne
xenial
dne
wily
dne
vivid
dne
utopic
dne
trusty
dne
precise
ignored
lucid
dne
Common Weakness Enumeration
References
http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php
http://piwigo.org/forum/viewtopic.php?id=24850
http://piwigo.org/releases/2.7.2
http://seclists.org/fulldisclosure/2014/Nov/23
http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php
http://piwigo.org/forum/viewtopic.php?id=24850
http://piwigo.org/releases/2.7.2
http://seclists.org/fulldisclosure/2014/Nov/23