Login Sign Up

CVE-2021-40317

8.8 HIGH
SQL Injection

📋 TL;DR

CVE-2021-40317 is a SQL injection vulnerability in Piwigo's admin.php file via the id parameter. This allows authenticated attackers to execute arbitrary SQL commands on the database. Only Piwigo administrators who can access admin.php are affected.

💻 Affected Systems

Products:
  • Piwigo
Versions: 11.5.0 specifically
Operating Systems: All platforms running Piwigo
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin access to admin.php endpoint; earlier versions may also be vulnerable but CVE specifically mentions 11.5.0.

📦 What is this software?

Piwigo by Piwigo

View all CVEs affecting Piwigo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, or deletion; potential privilege escalation to full system control if database permissions allow.

🟠

Likely Case

Unauthorized data access, modification of gallery content, or extraction of sensitive information like user credentials.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH if admin interface is exposed to internet without proper authentication controls.
🏢 Internal Only: MEDIUM as it requires authenticated admin access but could be exploited by malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection via id parameter is well-understood attack vector; requires admin authentication but trivial to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.5.1 or later

Vendor Advisory: https://github.com/Piwigo/Piwigo/issues/1470

Restart Required: No

Instructions:

1. Backup database and files. 2. Download Piwigo 11.5.1+ from official site. 3. Replace affected files. 4. Verify admin.php functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize id parameter before processing

Modify admin.php to validate id parameter as integer: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

Access Restriction

linux

Restrict admin.php access to specific IP addresses

Add to .htaccess: Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24

🧯 If You Can't Patch

  • Implement web application firewall (WAF) with SQL injection rules
  • Restrict database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Check if running Piwigo 11.5.0 and test admin.php?id parameter with SQL injection payloads

Check Version:

Check includes/version.inc.php or admin dashboard for version number

Verify Fix Applied:

Verify version is 11.5.1+ and test SQL injection attempts return error or no database impact

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by admin.php access
  • Suspicious id parameter values in web server logs

Network Indicators:

  • SQL syntax in HTTP GET parameters
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="*admin.php*" AND (query="*id=*UNION*" OR query="*id=*SELECT*" OR query="*id=*INSERT*")

📊 Metadata

CVE ID: CVE-2021-40317
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: May 26, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40317, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)