By Rodolfo Tavares

Among the research activities conducted by Tempest Security Intelligence’s Technical Consulting team, a vulnerability susceptible to exploitation was detected in Piwigo open source software, which is widely used for image management.

The critical vulnerability recognized and publicly reported by MITRE under the number CVE-2023-26876, is an SQL injection flaw, which allows an attacker to inject malicious SQL code directly into the application database, enabling access to and retrieval of sensitive server data.

SQL injection is a common type of attack in which an attacker manipulates application records to execute malicious commands in the database. This vulnerability can allow the intruder to access, modify, or delete critical application data.

Piwigo has acknowledged the severity of the issue and released a security patch to address it. It is recommended that all Piwigo users update their systems immediately to prevent potential attacks.

Using the link provided below, you can access the log information of the identified vulnerability exploit in Piwigo, under CVE-2023-26876.

https://nvd.nist.gov/vuln/detail/CVE-2023-26876