ZenPhoto Cross Site Scripting and SQL Injection Vulnerabilities
PVS ID: 8019 FAMILY: Internet Services RISK: MEDIUM NESSUS ID:Not Available
Description: Synopsis :\n\nAttackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible. \n\nThe remote host is running a version of ZenPhoto Gallery that may be vulnerable to cross site scripting and SQL injection attacks, due to insufficient user input sanitation. Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible. For your information, the version of ZenPhoto detected is '%L'

Solution: The problems have been fixed by version 1.4.5.4, but a login issue introduced in this version caused the vendor to release a newer update. Upgrade to version 1.4.5.5 or later.

CVE Not available


Copyright Tenable Network Security Inc. 2013