Unrated severityNVD Advisory· Published Dec 23, 2014· Updated May 6, 2026

CVE-2014-9115

Description

SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.

Affected products

Piwigo/Piwigo11 versions
cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*range: <=2.5.5
- cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:piwigo:piwigo:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:piwigo:piwigo:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:piwigo:piwigo:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:piwigo:piwigo:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:piwigo:piwigo:2.7.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:piwigo:piwigo:2.7.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:piwigo:piwigo:2.7.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:piwigo:piwigo:2.7.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:piwigo:piwigo:2.7.1:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

piwigo.org/releases/2.7.2nvdPatch
seclists.org/fulldisclosure/2014/Nov/23nvdExploit
piwigo.org/forum/viewtopic.phpnvdVendor Advisory
piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.phpnvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000