CVE-2017-15969 in PG All Share Video
Summary
by MITRE
PG All Share Video 1.0 allows SQL Injection via the PATH_INFO to search/tag, friends/index, users/profile, or video_catalog/category.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/10/2025
The vulnerability identified as CVE-2017-15969 represents a critical SQL injection flaw in PG All Share Video version 1.0 that affects multiple application endpoints. This vulnerability resides within the application's handling of user input through the PATH_INFO parameter, which is commonly used in web applications to process URL segments and route requests to appropriate handlers. The affected endpoints include search/tag, friends/index, users/profile, and video_catalog/category, indicating a widespread impact across the application's core functionality. The vulnerability occurs when user-supplied data from the PATH_INFO parameter is directly incorporated into SQL queries without proper sanitization or parameterization, creating an avenue for malicious actors to manipulate database operations through crafted input sequences.
This SQL injection vulnerability operates at the application layer and can be classified under CWE-89 which specifically addresses improper neutralization of special elements used in an SQL command. The flaw demonstrates a classic case of insecure input handling where the application fails to validate or escape user-provided data before incorporating it into database queries. Attackers can exploit this weakness by injecting malicious SQL fragments through the PATH_INFO parameter, potentially gaining unauthorized access to sensitive data, modifying database contents, or executing arbitrary commands on the underlying database system. The impact is particularly severe because the vulnerability affects multiple functional areas of the application, suggesting that the input validation mechanism is either completely absent or inadequately implemented across the affected endpoints.
The operational impact of this vulnerability extends beyond simple data theft, as it can enable attackers to escalate privileges, access administrative functions, or even compromise the entire database infrastructure. Given that the affected endpoints handle user profiles, friend relationships, video catalogs, and search functionality, successful exploitation could result in unauthorized access to user personal information, viewing history, social connections, and multimedia content. The vulnerability's presence in the video catalog category endpoint particularly raises concerns about potential exposure of copyrighted material or user-generated content. From an attacker perspective, this vulnerability aligns with ATT&CK technique T1213.002 which covers data from information repositories, and T1078 which addresses valid accounts, as the exploitation could lead to account compromise and data exfiltration.
Mitigation strategies for CVE-2017-15969 should prioritize immediate implementation of parameterized queries or prepared statements to ensure that user input is properly escaped and treated as data rather than executable code. The application should implement comprehensive input validation at multiple layers, including sanitizing PATH_INFO parameters and employing strict whitelisting for endpoint access. Additionally, the system should enforce proper access controls and implement robust logging mechanisms to detect and respond to potential exploitation attempts. Security patches should be applied immediately to update to a version that properly handles SQL injection vulnerabilities, and the application should undergo thorough security testing including dynamic application security testing and manual penetration testing to ensure all injection points are properly secured. Organizations should also consider implementing web application firewalls and database activity monitoring solutions to provide additional layers of protection against similar vulnerabilities.