Zenphoto Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2015-5593
The sanitize_string function in Zenphoto before 1.4.9 does not properly sanitize HTML tags which allows remote attackers to perform a cross-site scripting (XSS) attack by wrapping a payload in quotltltscriptgtlt/scriptgtscriptgtpayloadltscriptgtlt/scriptgtlt/scriptgtquot or in an image tag with the payload as the onerror event.