Home > Vulnerability Database > CVE-2023-52082

Mend.io Vulnerability Database

CVE-2023-52082

Date: December 28, 2023

Lychee is a free photo-management tool. Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the ".env" settings set to DB_LOG_SQL=true and DB_LOG_SQL_EXPLAIN=true. The defaults settings of Lychee are safe. The patch is provided on version 5.0.2. To work around this issue, disable SQL EXPLAIN logging.

Language: PHP

Severity Score

8.8

Related Resources (4)

Url: https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-rjwv-5j3m-p5x4

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-52082

Url: https://github.com/LycheeOrg/Lychee/commit/33354a2ce7cf700cc4ee537b7b8b94dfc1e84ad4

Url: https://www.mend.io/vulnerability-database/CVE-2023-52082

Severity Score

8.8

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-52082

Date: December 28, 2023

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?