Zenphoto Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2015-5594 - Vulnerability Database

Zenphoto

Zenphoto Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2015-5594

Medium

Reference: CVE-2015-5594

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2015-5594

Title: Zenphoto Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

The sanitize_string function in ZenPhoto before 1.4.9 utilized the html_entity_decode function after input sanitation which might allow remote attackers to perform a cross-site scripting (XSS) via a crafted string.