Cross-Site Scripting Vulnerability in ZenPhoto Web Gallery Software
CVE-2015-5594

6.1MEDIUM

Key Information:

Vendor

Zenphoto

Status
Zenphoto
Vendor
CVE Published:
25 July 2017

What is CVE-2015-5594?

The sanitize_string function in ZenPhoto versions prior to 1.4.9 is flawed, as it uses the html_entity_decode function after sanitizing inputs. This flaw may enable remote attackers to exploit the system by injecting malicious scripts through crafted strings, potentially compromising the security of affected installations.

References

http://www.zenphoto.org/news/zenphoto-1.4.9
x_refsource_CONFIRM
https://software-talk.org/blog/2015/07/second-order-sql-i...
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2015/07/18/3
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.