Cross-site scripting (XSS) vulnerability in Ansel 2.1 and previous versions allows remote malicious users to inject arbitrary HTML or web script via the album name.