CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Zenphoto : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2013-7242 89 Exec Code Sql 2013-12-31 2013-12-31
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in zp-core/zp-extensions/wordpress_import.php in Zenphoto before 1.4.5.4 allows remote authenticated administrators to execute arbitrary SQL commands via the tableprefix parameter.
2 CVE-2013-7241 79 XSS 2013-12-31 2013-12-31
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the export function in zp-core/zp-extensions/mergedRSS.php in Zenphoto before 1.4.5.4 allows remote attackers to inject arbitrary web script or HTML via the URI.
3 CVE-2012-2641 79 XSS 2012-07-05 2012-07-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Zenphoto before 1.4.3 allows remote attackers to inject arbitrary web script or HTML by triggering improper interaction with an unspecified library.
4 CVE-2012-0995 79 XSS 2012-02-21 2012-02-24
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ZENphoto 1.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) msg parameter in an external action to zp-core/admin.php, (2) PATH_INTO to an unspecified URL, as demonstrated using /1/, (3) PATH_INFO to zp-core/admin.php, or (4) album parameter to zp-core/admin-edit.php.
5 CVE-2012-0994 89 Exec Code Sql 2012-02-21 2012-02-21
6.0
None Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in the Manage Albums feature in zp-core/admin-albumsort.php in ZENphoto 1.4.2 allows remote authenticated users to execute arbitrary SQL commands via the sortableList parameter.
6 CVE-2012-0993 94 Exec Code 2012-02-21 2012-02-21
6.8
None Remote Medium Not required Partial Partial Partial
Eval injection vulnerability in zp-core/zp-extensions/viewer_size_image.php in ZENphoto 1.4.2, when the viewer_size_image plugin is enabled, allows remote attackers to execute arbitrary PHP code via the viewer_size_image_saved cookie.
7 CVE-2010-4907 79 1 XSS 2011-10-08 2012-02-13
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in zp-core/admin.php in Zenphoto 1.3 allows remote attackers to inject arbitrary web script or HTML via the user parameter. NOTE: the from parameter is already covered by CVE-2009-4562.
8 CVE-2010-4906 89 1 Exec Code Sql 2011-10-08 2012-02-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in zp-core/full-image.php in Zenphoto 1.3 and 1.3.1.2 allows remote attackers to execute arbitrary SQL commands via the a parameter. NOTE: some of these details are obtained from third party information.
9 CVE-2009-4566 89 Exec Code Sql 2010-01-04 2010-01-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Zenphoto 1.2.5 allows remote attackers to execute arbitrary SQL commands via the title parameter in a news action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
10 CVE-2009-4564 89 1 Exec Code Sql 2010-01-04 2010-01-05
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in Zenphoto 1.2.5, when the ZenPage plugin is enabled, allows remote attackers to execute arbitrary SQL commands via the category parameter, related to a URI under news/category/.
11 CVE-2009-4563 79 1 XSS CSRF 2010-01-04 2010-01-05
4.3
None Remote Medium Not required None Partial None
Cross-site request forgery (CSRF) vulnerability in zp-core/admin-options.php in Zenphoto 1.2.5 allows remote attackers to hijack the authentication of administrators for requests that change the administrative password via the 0-adminpass and 0-adminpass_2 parameters in a saveoptions action.
12 CVE-2009-4562 79 1 XSS 2010-01-04 2010-01-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in zp-core/admin.php in Zenphoto 1.2.5 allows remote attackers to inject arbitrary web script or HTML via the from parameter.
13 CVE-2008-6925 79 XSS 2009-08-10 2009-08-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in function.php in Zenphoto 1.1.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the "request logging" feature. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
14 CVE-2007-6666 89 1 Exec Code Sql 2008-01-04 2008-11-15
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in rss.php in Zenphoto 1.1 through 1.1.3 allows remote attackers to execute arbitrary SQL commands via the albumnr parameter.
15 CVE-2007-0616 Dir. Trav. 2007-01-31 2008-11-13
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in zen/template-functions.php in zenphoto 1.0.4 up to 1.0.6 allows remote attackers to list arbitrary directories via ".." sequences in the album parameter to index.php.
16 CVE-2006-2187 XSS 2006-05-04 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in zenphoto 1.0.1 beta and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) a parameter in i.php, and the (2) album and (3) image parameters in index.php.
17 CVE-2006-2186 +Info 2006-05-04 2008-09-05
5.0
None Remote Low Not required Partial None None
zenphoto 1.0.1 beta and earlier allow remote attackers to obtain sensitive information via a direct request for the (1) /photos/themes/default/ and (2) /photos/themes/testing/ URIs, which reveals the path in an error message.
Total number of vulnerabilities : 17   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.