Vulnerabilities > Zenphoto

DATE CVE VULNERABILITY TITLE RISK
2021-02-26 CVE-2020-36079 Unrestricted Upload of File with Dangerous Type vulnerability in Zenphoto
Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution.
network
low complexity
zenphoto CWE-434
7.2
2020-06-11 CVE-2020-5593 Injection vulnerability in Zenphoto
Zenphoto versions prior to 1.5.7 allows an attacker to conduct PHP code injection attacks by leading a user to upload a specially crafted .zip file.
network
low complexity
zenphoto CWE-74
6.5
2020-06-11 CVE-2020-5592 Cross-site Scripting vulnerability in Zenphoto
Cross-site scripting vulnerability in Zenphoto versions prior to 1.5.7 allows remote attackers to inject an arbitrary JavaScript via unspecified vectors.
network
zenphoto CWE-79
4.3
2020-02-11 CVE-2012-4519 Cross-site Scripting vulnerability in Zenphoto
Zenphoto before 1.4.3.4 admin-news-articles.php date parameter XSS.
network
zenphoto CWE-79
4.3
2019-12-31 CVE-2015-5595 Cross-Site Request Forgery (CSRF) vulnerability in Zenphoto
Cross-site request forgery (CSRF) vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service (resource consumption).
network
zenphoto CWE-352
4.3
2019-12-31 CVE-2015-5593 Cross-site Scripting vulnerability in Zenphoto
The sanitize_string function in Zenphoto before 1.4.9 does not properly sanitize HTML tags, which allows remote attackers to perform a cross-site scripting (XSS) attack by wrapping a payload in "<<script></script>script>payload<script></script></script>", or in an image tag, with the payload as the onerror event.
network
zenphoto CWE-79
4.3
2019-12-31 CVE-2015-5592 Cross-site Scripting vulnerability in Zenphoto
Incomplete blacklist in sanitize_string in Zenphoto before 1.4.9 allows remote attackers to conduct cross-site scripting (XSS) attacks.
network
zenphoto CWE-79
4.3
2019-12-31 CVE-2015-5591 SQL Injection vulnerability in Zenphoto
SQL injection vulnerability in Zenphoto before 1.4.9 allow remote administrators to execute arbitrary SQL commands.
network
low complexity
zenphoto CWE-89
6.5
2019-03-21 CVE-2018-20140 Cross-site Scripting vulnerability in Zenphoto 1.4.14
Zenphoto 1.4.14 has multiple cross-site scripting (XSS) vulnerabilities via different URL parameters.
network
zenphoto CWE-79
4.3
2018-06-26 CVE-2018-0610 Improper Privilege Management vulnerability in Zenphoto
Local file inclusion vulnerability in Zenphoto 1.4.14 and earlier allows a remote attacker with an administrative privilege to execute arbitrary code or obtain sensitive information.
network
low complexity
zenphoto CWE-269
6.5