Cross-Site Scripting Vulnerability in Zenphoto Product by Zenphoto
CVE-2015-5593

6.1MEDIUM

Key Information:

Vendor

Zenphoto

Status
Zenphoto
Vendor
CVE Published:
31 December 2019

What is CVE-2015-5593?

The sanitize_string function in Zenphoto versions prior to 1.4.9 is vulnerable to cross-site scripting. This issue arises from improper sanitization of HTML tags, allowing attackers to insert malicious scripts into webpages. By wrapping their payloads in crafted HTML constructs, such as within tags or in image tags utilizing the onerror event, an attacker can execute arbitrary scripts in the context of a user's browser. This may lead to unauthorized access to sensitive data or user sessions.

References

https://software-talk.org/blog/2015/07/second-order-sql-i...
x_refsource_MISC
http://www.zenphoto.org/news/zenphoto-1.4.9
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2015/07/18/3
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.