Description

The sanitize_string function in ZenPhoto before 1.4.9 utilized the html_entity_decode function after input sanitation, which might allow remote attackers to perform a cross-site scripting (XSS) via a crafted string.

Remediation

References

CVE-2015-5594

Related Vulnerabilities

WordPress Plugin WPFront Notification Bar Cross-Site Scripting (1.9.1.04012)

WordPress Plugin Hustle-Pop-Ups, Slide-ins and Email Opt-ins CSV Injection (6.0.7)

WordPress Plugin WatchTowerHQ Privilege Escalation (3.6.16)

WordPress Plugin Comment Highlighter SQL Injection (0.13)

Python Improper Encoding or Escaping of Output Vulnerability (CVE-2020-26116)

Severity

Medium

Classification

CVE-2015-5594 CWE-707 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities