CVE-2023-33362: There is a SQL Injection in the "profile" function of piwigo · Issue #1911 · Piwigo/Piwigo

Accessing the ‘profile’ page

Add the ‘user_id’ parameter with single quotes

Discovering an error in MySQL can actually prove the existence of SQL injection, but we can still try using the sleep() function for testing

//Try to analyze how this vulnerability was generated from a code level perspective.

First find ‘/admin/profile.php’

Track build_user() function (in the /Piwigo/include/functions_user.inc.php)

The ‘$user_id’ enters the getuserdata() function, so continue tracking getuserdata()

Finally, the ‘$user_id’ variable will enter this string of SQL statements, which clearly does not filter the incoming parameter values, resulting in SQL injection

This vulnerability affects the latest version up to 13.6.0, and it is uncertain whether other versions will be affected.