Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-9115

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2014-9115
Last Modified 23 Dec 2014 02:12:08
Published 23 Dec 2014 06:59:04
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2014-9115

Summary

SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.

Vulnerable Systems

Application

  • Piwigo 2.5.5

  • Piwigo 2.6.0

  • Piwigo 2.6.1

  • Piwigo 2.6.2

  • Piwigo 2.6.3

  • Piwigo 2.7.0

  • Piwigo 2.7.1


References

CONFIRM - http://piwigo.org/releases/2.7.2

FULLDISC - 20141112 Piwigo <= v2.6.0 - Blind SQL Injection

CONFIRM - http://piwigo.org/forum/viewtopic.php?id=24850

CONFIRM - http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php


Last Updated: 27 May 2016 11:07:21