A vulnerability in the User Collections plug-in of Piwigo version 1.1.0 could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks on a targeted system.
The vulnerability is due to insufficient sanitization of user-supplied input by the ZeroClipboard.swf script of the affected software. An attacker could exploit this vulnerability by convincing a user to open a URL that contains a crafted parameter. An exploit could allow the attacker to execute arbitrary script code in the user's browser session in the context of the affected site.
Users should verify that unsolicited links are safe to follow.
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
The vendor has not confirmed the vulnerability and updates are not available.