CVE-2024-43018
CVSS 6.4 Medium
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Published: 2025-07-29T20:15:26.410
Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file includews_functionspwg.users.php and this same function is called by ws.php file at some point can be used for searching users in advanced way in /admin.php?page=user_list.
Related CVE by CWE
No related CWE found.
Top CVE for Vendor
No vendor taxonomy on this entry.
Recently Exploited Similar Vulnerabilities
No recent KEV-listed items for this vendor/product.
How to fix CVE-2024-43018
CVE-2024-43018 is a medium severity vulnerability affecting the affected product.
Description: Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file includews_functionspwg.users.php and this same function is called by ws.php file at some point can be used for searching users in advanced way in /admin.php?page=user_list. Related CVE by CWENo related CWE found.Top […]
Exploit Difficulty: EASY
⏱️ Time to exploit: < 1 hour
🛠️ Required skills: Basic web security knowledge
💰 Public exploits: Likely available
How to Fix:
- Check if you're running the affected product
- Update to the latest patched version
- If patching is not immediately possible: restrict network exposure, apply least-privilege access
- Test the fix in a staging environment first
- Review logs for signs of exploitation
- Monitor for IOCs (Indicators of Compromise)
- Enable automatic security updates
- Set up vulnerability monitoring
- Review and harden security configurations
Description: Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file includews_functionspwg.users.php and this same function is called by ws.php file at some point can be used for searching users in advanced way in /admin.php?page=user_list. Related CVE by CWENo related CWE found.Top […]
Exploit Difficulty: EASY
⏱️ Time to exploit: < 1 hour
🛠️ Required skills: Basic web security knowledge
💰 Public exploits: Likely available
How to Fix:
1 Identify affected systems
- Check if you're running the affected product
2 Immediate actions
- Update to the latest patched version
- If patching is not immediately possible: restrict network exposure, apply least-privilege access
3 Verification
- Test the fix in a staging environment first
- Review logs for signs of exploitation
- Monitor for IOCs (Indicators of Compromise)
4 Long-term prevention
- Enable automatic security updates
- Set up vulnerability monitoring
- Review and harden security configurations
Exploit Difficulty Assessment
EASY
Time to Exploit: < 1 hour
Skills Required: Basic web security knowledge
Public Exploits: Likely available
Vulnerability Timeline
Jul 29, 2025
Vulnerability Published
CVE details first published to NVD database
Nov 12, 2025
Imported to Database
Added to this CVE tracking system
Detection Rules & IOCs
No specific detection rules generated for this vulnerability type.
No vendor/product data available.