Petros

**Name of the Vulnerable Software and Affected Versions** Zenphoto version 1.2.5 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `from` parameter in the `/zp-core/admin.php` API endpoint. **Recommendations** For Zenphoto version 1.2.5, avoid using the `from` parameter in the `/zp-core/admin.php` endpoint until a fix is available. As a temporary workaround, consider restricting access to the `/zp-core/admin.php` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zenphoto version 1.2.5 **Description** A cross-site request forgery issue allows remote attackers to hijack the authentication of administrators for requests that change the administrative password. This is achieved via the `0-adminpass` and `0-adminpass 2` parameters in a "saveoptions" action. **Recommendations** For Zenphoto version 1.2.5, consider disabling the saveoptions action or restricting access to the administrative password change functionality until a patch is available. Avoid using the `0-adminpass` and `0-adminpass 2` parameters in the saveoptions action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zenphoto version 1.2.5 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `category` parameter in a URI under 'news/category/' when the ZenPage plugin is enabled. This is related to a SQL injection vulnerability in the index.php file. **Recommendations** For Zenphoto version 1.2.5, consider disabling the ZenPage plugin until a patch is available to prevent exploitation of the SQL injection vulnerability. Avoid using the `category` parameter in the affected API endpoint under 'news/category/' until the issue is resolved.