QwikSec

Security Database

CVE

CWE

Training

CVE-2015-5593

Published: Dec 31, 2019

Modified: Aug 6, 2024

PUBLISHED

Description

The sanitize_string function in Zenphoto before 1.4.9 does not properly sanitize HTML tags, which allows remote attackers to perform a cross-site scripting (XSS) attack by wrapping a payload in "<<script></script>script>payload<script></script></script>", or in an image tag, with the payload as the onerror event.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://software-talk.org/blog/2015/07/second-order-sql-injection-reflected-xss-path-traversal-function-execution-vulnerability-zenphoto/

x_refsource_MISC

http://www.zenphoto.org/news/zenphoto-1.4.9

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2015/07/18/3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.