CVE-2015-5594

Name of the Vulnerable Software and Affected Versions ZenPhoto versions prior to 1.4.9

Description The issue is related to the sanitize string function, which used the html entity decode function after input sanitation. This could potentially allow remote attackers to perform a cross-site scripting (XSS) attack via a crafted string.

Recommendations For versions prior to 1.4.9, update to version 1.4.9 or later to resolve the issue. As a temporary workaround, consider disabling the sanitize string function until a patch is available. Restrict input to prevent crafted strings from being processed by the html entity decode function.