CVE-2017-10682 in Piwigo
Summary
by MITRE
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/30/2025
The CVE-2017-10682 vulnerability represents a critical SQL injection flaw discovered in Piwigo version 2.9.1 and earlier, affecting the administrative backend functionality. This vulnerability specifically targets the cat_options.php script within the comments or status page functionality, where user input is improperly sanitized before being incorporated into database queries. The flaw allows remote attackers to manipulate the application's database operations by injecting malicious SQL commands through the cat_false or cat_true parameters, which are used to manage category options in the administrative interface.
The technical exploitation of this vulnerability occurs when an attacker submits crafted input through the vulnerable parameters in the administrative backend. The application fails to properly validate or escape user-supplied data before incorporating it into SQL queries, creating an opportunity for attackers to manipulate the database structure or execute unauthorized commands. This type of vulnerability falls under CWE-89, which specifically addresses SQL injection flaws, and represents a classic example of insufficient input validation in web applications. The vulnerability's impact is particularly severe in administrative contexts where elevated privileges are required, as successful exploitation could provide attackers with complete database access and potentially full system compromise.
From an operational perspective, this vulnerability presents significant risk to Piwigo installations as it allows remote code execution without requiring authentication for the specific attack vector. Attackers can leverage this flaw to extract sensitive data, modify or delete database entries, and potentially escalate privileges within the application. The vulnerability affects the administrative backend functionality, which typically requires elevated access levels, making the potential impact more severe than standard user-facing SQL injection vulnerabilities. According to ATT&CK framework, this vulnerability maps to T1071.004 for application layer protocol and T1046 for network service scanning, as attackers would need to identify and exploit this specific endpoint to gain access to the administrative interface.
The exploitation process involves crafting malicious input parameters that bypass standard input validation checks and inject SQL syntax into the database queries. This typically requires understanding the database schema and constructing payloads that can manipulate the intended query structure. Security professionals should note that this vulnerability demonstrates the critical importance of input validation and parameterized queries in preventing SQL injection attacks. Organizations using Piwigo versions prior to 2.9.2 should implement immediate mitigations including patching the application to the latest version, implementing web application firewalls, and conducting thorough security audits of administrative endpoints. The vulnerability also highlights the need for proper access controls and the principle of least privilege in administrative interfaces, as any compromise of these areas can lead to complete system takeover.