Incomplete blacklist in sanitize_string in Zenphoto prior to 1.4.9 allows remote malicious users to conduct cross-site scripting (XSS) attacks.
zenphoto zenphoto