Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-0995

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2012-0995
Last Modified 24 Feb 2012 12:00:00
Published 21 Feb 2012 08:31:45
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2012-0995

Summary

Multiple cross-site scripting (XSS) vulnerabilities in ZENphoto 1.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) msg parameter in an external action to zp-core/admin.php, (2) PATH_INTO to an unspecified URL, as demonstrated using /1/, (3) PATH_INFO to zp-core/admin.php, or (4) album parameter to zp-core/admin-edit.php.

Vulnerable Systems

Application

  • Zenphoto 1.4.2


References

MISC - https://www.htbridge.ch/advisory/HTB23070

XF - zenphoto-multiple-xss(73083)

CONFIRM - http://www.zenphoto.org/trac/changeset/8995

CONFIRM - http://www.zenphoto.org/trac/changeset/8994

CONFIRM - http://www.zenphoto.org/news/zenphoto-1.4.2.1

BID - 51916

SECUNIA - 47875

BUGTRAQ - 20120208 Multiple vulnerabilities in ZENphoto


Last Updated: 27 May 2016 10:58:18