CVE-2013-2087

Name of the Vulnerable Software and Affected Versions Gallery 3 versions prior to 3.0.7

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the movie title to the "modules/gallery/controllers/movies.php" API endpoint or the key variable to "modules/gallery/views/error admin.html.php".

Recommendations For versions prior to 3.0.7, update to version 3.0.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "modules/gallery/controllers/movies.php" and "modules/gallery/views/error admin.html.php" to minimize the risk of exploitation. Avoid using the key variable in the affected API endpoint until the issue is resolved.