CVE-2023-33361 – Piwigo 13.6.0 contains a SQL injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2023-33361?

CVE-2023-33361 has a CVSS score of 9.8 (CRITICAL). Piwigo 13.6.0 contains a SQL injection vulnerability in the /admin/permalinks.php endpoint that allows attackers to execute arbitrary SQL commands. This affects all Piwigo installations running version 13.6.0. Attackers can potentially access, modify, or delete database content.

📋 TL;DR

Piwigo 13.6.0 contains a SQL injection vulnerability in the /admin/permalinks.php endpoint that allows attackers to execute arbitrary SQL commands. This affects all Piwigo installations running version 13.6.0. Attackers can potentially access, modify, or delete database content.

💻 Affected Systems

Products:

Piwigo

Versions: 13.6.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with admin access enabled

📦 What is this software?

Piwigo by Piwigo

View all CVEs affecting Piwigo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, or complete system takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized database access allowing extraction of sensitive user data, configuration information, or administrative credentials

🟢

If Mitigated

Limited impact with proper input validation and WAF rules blocking SQL injection patterns

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin access to reach the vulnerable endpoint

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.6.1

Vendor Advisory: https://github.com/Piwigo/Piwigo/issues/1910

Restart Required: No

Instructions:

1. Backup your Piwigo installation and database. 2. Download Piwigo 13.6.1 or later from the official repository. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Restrict admin access

all

Limit access to the admin interface to trusted IP addresses only

# Configure web server to restrict /admin/ path to specific IPs

Disable permalinks module

all

Temporarily disable the vulnerable permalinks functionality

# Rename or remove /admin/permalinks.php file

🧯 If You Can't Patch

Implement strict input validation and parameterized queries at application level
Deploy a web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running Piwigo version 13.6.0 and if /admin/permalinks.php exists

Check Version:

Check Piwigo admin dashboard or examine include/constants.php for version number

Verify Fix Applied:

Verify Piwigo version is 13.6.1 or later and test SQL injection attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin interface
Requests to /admin/permalinks.php with SQL-like parameters

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) to admin endpoints
Unusual database connection patterns

SIEM Query:

source="web_logs" AND (uri="/admin/permalinks.php" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR 1=1*"))

📊 Metadata

CVE ID: CVE-2023-33361

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 23, 2023

Last Updated: January 31, 2025

🔗 References

https://github.com/Piwigo/Piwigo/issues/1910 Exploit,Issue Tracking,Patch
https://github.com/Piwigo/Piwigo/issues/1910 Exploit,Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33361, you might also want to check these: