4.3
CVSSv2

CVE-2015-5593

Published: 31/12/2019 Updated: 07/01/2020
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

The sanitize_string function in Zenphoto prior to 1.4.9 does not properly sanitize HTML tags, which allows remote malicious users to perform a cross-site scripting (XSS) attack by wrapping a payload in "<<script></script>script>payload<script></script></script>", or in an image tag, with the payload as the onerror event.

Vulnerability Trend

Affected Products

Vendor Product Versions
ZenphotoZenphoto0.1.1, 0.1.2, 0.2, 0.2.2, 0.3, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.4.0, 0.5.0, 0.6.0, 0.8.0, 0.8.1, 0.8.2, 0.9, 1.0, 1.0.1, 1.0.4, 1.0.5, 1.0.6, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.7, 1.2.5, 1.3, 1.3.1.2, 1.4.2, 1.4.2.1, 1.4.2.2, 1.4.2.3, 1.4.2.4, 1.4.3, 1.4.3.1, 1.4.3.2, 1.4.3.3, 1.4.3.4, 1.4.5, 1.4.5.1, 1.4.5.2, 1.4.5.3, 1.4.5.4, 1.4.5.5, 1.4.5.6, 1.4.5.7, 1.4.5.8, 1.4.7