Zenphoto Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2015-5593 - Vulnerability Database

Zenphoto

Zenphoto Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2015-5593

Medium

Reference: CVE-2015-5593

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2015-5593

Title: Zenphoto Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

The sanitize_string function in Zenphoto before 1.4.9 does not properly sanitize HTML tags which allows remote attackers to perform a cross-site scripting (XSS) attack by wrapping a payload in quotltltscriptgtlt/scriptgtscriptgtpayloadltscriptgtlt/scriptgtlt/scriptgtquot or in an image tag with the payload as the onerror event.