Multiple Vulnerabilities in ZENphoto
|Vulnerable Versions:||220.127.116.11. Prior and later versions may be also affected|
|Advisory Publication:||April 7, 2011 [without technical details]|
|Vendor Notification:||April 7, 2011|
|Public Disclosure:||April 21, 2011|
|Latest Update:||January 23, 2012|
|Vulnerability Type:||Cross-Site Scripting [CWE-79]|
Information Exposure Through Externally-generated Error Message [CWE-211]
|CVSSv2 Base Scores:||4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge SA Security Research Lab has discovered vulnerabilities in ZENphoto which could be exploited to perform cross-site scripting attacks and disclose potentially sensitive information.
|Upgrade to the most recent version.|
Issue 1) is fixed by Vendor by additional security check for PHP configuration during the product Installation process.
Issue 2) is fixed by Vendor.
| High-Tech Bridge Advisory HTB22945 - https://www.htbridge.com/advisory/HTB22945 - Multiple Vulnerabilities in ZENphoto|
 ZENphoto - www.zenphoto.org - Zenphoto is a standalone CMS for multimedia focused websites.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.