Zenphoto Multiple Security Vulnerabilities

Zenphoto is prone to multiple cross-site scripting vulnerabilities, an SQL-injection vulnerability, and a PHP code-injection vulnerability.

An attacker can exploit the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. The PHP code injection can be exploited to inject and execute arbitrary malicious PHP code in the context of the webserver process.

An attacker may be able to modify the logic of SQL queries. A successful exploit may allow the attacker to compromise the software, retrieve information, or modify data; other consequences are possible as well.

ZENphoto 1.4.2 is vulnerable; other versions may also be affected


 

Privacy Statement
Copyright 2010, SecurityFocus