Cross-Site Scripting Vulnerabilities in ZENphoto by ZENphoto
CVE-2012-0995

Currently unrated

Key Information:

Vendor: Zenphoto
Status: Zenphoto
Vendor: CVE Published:; 21 February 2012

What is CVE-2012-0995?

ZENphoto version 1.4.2 is susceptible to multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary scripts or HTML. Attack vectors include the 'msg' parameter in an external action to zp-core/admin.php, the 'PATH_INTO' parameter targeting unspecified URLs, 'PATH_INFO' to zp-core/admin.php, and the 'album' parameter within the admin-edit.php context. Successful exploitation could lead to unauthorized script execution in users' browsers, potentially compromising user data and session integrity.

References

http://www.zenphoto.org/trac/changeset/8995

x_refsource_CONFIRM

http://www.zenphoto.org/trac/changeset/8994

x_refsource_CONFIRM

https://exchange.xforce.ibmcloud.com/vulnerabilities/73083

vdb-entryx_refsource_XF

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 21, 2012
Vulnerability Reserved
Feb 2, 2012

JSON

Zenphoto

What is CVE-2012-0995?

References

Timeline