CVE-2021-27973 – This SQL injection vulnerability in Piwigo allo... (How to Fix)

Q: What is the severity of CVE-2021-27973?

CVE-2021-27973 has a CVSS score of 7.2 (HIGH). This SQL injection vulnerability in Piwigo allows attackers to execute arbitrary SQL commands via the language parameter in the admin.php?page=languages endpoint. It affects Piwigo installations before version 11.4.0, potentially compromising database integrity and exposing sensitive information. Administrators with access to the affected admin interface are primarily at risk.

📋 TL;DR

This SQL injection vulnerability in Piwigo allows attackers to execute arbitrary SQL commands via the language parameter in the admin.php?page=languages endpoint. It affects Piwigo installations before version 11.4.0, potentially compromising database integrity and exposing sensitive information. Administrators with access to the affected admin interface are primarily at risk.

💻 Affected Systems

Products:

Piwigo

Versions: All versions before 11.4.0

Operating Systems: All platforms running Piwigo

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin access to reach the vulnerable endpoint, but SQL injection can be exploited once authenticated.

📦 What is this software?

Piwigo by Piwigo

View all CVEs affecting Piwigo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, or remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access, modification, or deletion of Piwigo database contents including user credentials and site content.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting query execution scope.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is typically accessible via web interface, making internet-facing installations particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal installations still vulnerable but attack surface reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin authentication but SQL injection payloads are straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.4.0 and later

Vendor Advisory: https://github.com/Piwigo/Piwigo/issues/1352

Restart Required: No

Instructions:

1. Backup your Piwigo installation and database. 2. Download Piwigo 11.4.0 or later from official sources. 3. Replace existing files with new version. 4. Verify functionality post-upgrade.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize language parameter before processing

Modify admin.php to validate language parameter using whitelist approach

Access Restriction

all

Restrict access to admin.php endpoint to trusted IP addresses only

Add IP-based restrictions in web server configuration or .htaccess

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns targeting the language parameter
Restrict database user permissions to minimum required for Piwigo functionality

🔍 How to Verify

Check if Vulnerable:

Check Piwigo version in admin dashboard or by examining piwigo/include/version.php file

Check Version:

grep 'PHPWG_VERSION' piwigo/include/version.php

Verify Fix Applied:

Confirm version is 11.4.0 or later and test language parameter with SQL injection test payloads

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by admin.php access
Language parameter containing SQL keywords like UNION, SELECT, INSERT

Network Indicators:

HTTP requests to admin.php?page=languages with suspicious language parameter values

SIEM Query:

web.url: "*admin.php?page=languages*" AND (web.param.language: "*UNION*" OR web.param.language: "*SELECT*" OR web.param.language: "*INSERT*")

📊 Metadata

CVE ID: CVE-2021-27973

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: April 2, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/Piwigo/Piwigo/issues/1352 Exploit,Patch,Third Party Advisory
http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/Piwigo/Piwigo/issues/1352 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27973, you might also want to check these: