CVE-2024-43018

Source
https://cve.org/CVERecord?id=CVE-2024-43018
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-43018.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-43018
Published
2025-07-29T20:15:26.410Z
Modified
2026-04-10T05:16:14.451540Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters maxlevel and minregister. These parameters are used in wsusergerList function from file include\wsfunctions\pwg.users.php and this same function is called by ws.php file at some point can be used for searching users in advanced way in /admin.php?page=userlist.

References

Affected packages

Git / github.com/piwigo/piwigo

Affected ranges

Type
GIT
Repo
https://github.com/piwigo/piwigo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "13.8.0"
        }
    ]
}

Affected versions

12.*
12.0.0RC1
12.0.0RC2
12.0.0beta1
12.0.0beta2
13.*
13.0.0
13.0.0RC1
13.0.0RC2
13.0.0RC3
13.0.0RC4
13.0.0beta1
13.0.0beta2
13.1.0
13.2.0
13.3.0
13.4.0
13.5.0
13.6.0
13.7.0
13.8.0
2.*
2.10.0RC1
2.10.0beta1
2.10.0beta2
2.11.0beta1
2.11.0beta2
2.11.0beta3
2.11.0beta4
2.8.0RC1
2.8.0RC2
2.9.0RC1
2.9.0RC2
2.9.0beta1
2.9.0beta2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-43018.json"