Description
The sanitize_string function in ZenPhoto before 1.4.9 utilized the html_entity_decode function after input sanitation, which might allow remote attackers to perform a cross-site scripting (XSS) via a crafted string.
Remediation
References
Related Vulnerabilities
Drupal CVE-2009-1576 Vulnerability (CVE-2009-1576)
Envoy Proxy Origin Validation Error Vulnerability (CVE-2020-15104)
Jboss EAP Deserialization of Untrusted Data Vulnerability (CVE-2019-14892)
WordPress Plugin Login with Cognito Cross-Site Scripting (1.4.8)
WordPress Plugin AddToAny Share Buttons Cross-Site Scripting (1.7.47)