CVE-2015-5593

Name of the Vulnerable Software and Affected Versions Zenphoto versions prior to 1.4.9

Description The issue arises from the sanitize string function not properly sanitizing HTML tags, allowing remote attackers to perform a cross-site scripting (XSS) attack. This can be achieved by wrapping a payload in malformed HTML tags, such as "<script>payload", or by using an image tag with the payload as the onerror event.

Recommendations For versions prior to 1.4.9, update to version 1.4.9 or later to resolve the issue. As a temporary workaround, consider disabling the sanitize string function or restricting its use until a patch is available. Avoid using the sanitize string function to sanitize user-inputted HTML tags until the issue is resolved.