[waraxe-2012-SA#096] - Multiple Vulnerabilities in Zenphoto 1.4.3.3

vendor:

Zenphoto

by:

Janek Vind "waraxe"

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Zenphoto

Affected Version From: Zenphoto 1.4.3.3 and earlier

Affected Version To: Zenphoto 1.4.3.3

Patch Exists: YES

Related CWE: N/A

CPE: a:zenphoto:zenphoto

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

[waraxe-2012-SA#096] – Multiple Vulnerabilities in Zenphoto 1.4.3.3

A SQL injection vulnerability exists in the "failed_access_blocker" plugin of Zenphoto 1.4.3.3 and earlier versions. The vulnerability is due to insufficient sanitization of user-supplied data in the "X_FORWARDED_FOR" HTTP header. An attacker can exploit this vulnerability to execute arbitrary SQL commands in the application's database.

Mitigation:

Upgrade to Zenphoto 1.4.3.4 or later.

Source

[waraxe-2012-SA#096] – Multiple Vulnerabilities in Zenphoto 1.4.3.3

Mitigation:

Exploit-DB raw data: