Vulnerabilities > Zenphoto

DATE CVE VULNERABILITY TITLE RISK
2021-02-26 CVE-2020-36079 Unrestricted Upload of File With Dangerous Type vulnerability in Zenphoto
** DISPUTED ** Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution.
network
low complexity
zenphoto CWE-434
6.5
2020-06-11 CVE-2020-5593 Injection vulnerability in Zenphoto
Zenphoto versions prior to 1.5.7 allows an attacker to conduct PHP code injection attacks by leading a user to upload a specially crafted .zip file.
network
low complexity
zenphoto CWE-74
6.5
2020-06-11 CVE-2020-5592 Cross-Site Scripting vulnerability in Zenphoto
Cross-site scripting vulnerability in Zenphoto versions prior to 1.5.7 allows remote attackers to inject an arbitrary JavaScript via unspecified vectors.
network
zenphoto CWE-79
4.3
2020-02-11 CVE-2012-4519 Cross-Site Scripting vulnerability in Zenphoto
Zenphoto before 1.4.3.4 admin-news-articles.php date parameter XSS.
network
zenphoto CWE-79
4.3
2019-12-31 CVE-2015-5595 Cross-Site Request Forgery (CSRF) vulnerability in Zenphoto
Cross-site request forgery (CSRF) vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service (resource consumption).
network
zenphoto CWE-352
4.3
2019-12-31 CVE-2015-5593 Cross-Site Scripting vulnerability in Zenphoto
The sanitize_string function in Zenphoto before 1.4.9 does not properly sanitize HTML tags, which allows remote attackers to perform a cross-site scripting (XSS) attack by wrapping a payload in "<<script></script>script>payload<script></script></script>", or in an image tag, with the payload as the onerror event.
network
zenphoto CWE-79
4.3
2019-12-31 CVE-2015-5592 Cross-Site Scripting vulnerability in Zenphoto
Incomplete blacklist in sanitize_string in Zenphoto before 1.4.9 allows remote attackers to conduct cross-site scripting (XSS) attacks.
network
zenphoto CWE-79
4.3
2019-12-31 CVE-2015-5591 SQL Injection vulnerability in Zenphoto
SQL injection vulnerability in Zenphoto before 1.4.9 allow remote administrators to execute arbitrary SQL commands.
network
low complexity
zenphoto CWE-89
6.5
2019-03-21 CVE-2018-20140 Cross-Site Scripting vulnerability in Zenphoto 1.4.14
Zenphoto 1.4.14 has multiple cross-site scripting (XSS) vulnerabilities via different URL parameters.
network
zenphoto CWE-79
4.3
2018-06-26 CVE-2018-0610 Improper Privilege Management vulnerability in Zenphoto
Local file inclusion vulnerability in Zenphoto 1.4.14 and earlier allows a remote attacker with an administrative privilege to execute arbitrary code or obtain sensitive information.
network
low complexity
zenphoto CWE-269
6.5