CVE-2006-2187

Name of the Vulnerable Software and Affected Versions zenphoto versions 1.0.1 beta and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the a parameter in "i.php", and the album and image parameters in "index.php".

Recommendations For zenphoto versions 1.0.1 beta and earlier, consider disabling the a parameter in "i.php", and the album and image parameters in "index.php" as a temporary workaround until a patch is available. Restrict access to "i.php" and "index.php" to minimize the risk of exploitation. Avoid using the a, album, and image parameters in the affected API endpoints until the issue is resolved.