CVE-2015-5594

The sanitize_string function in ZenPhoto before 1.4.9 utilized the html_entity_decode function after input sanitation, which might allow remote attackers to perform a cross-site scripting (XSS) via a crafted string. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt