PrettyPhoto is vulnerable to DOM-based cross-site scripting (XSS). The attack is possible because it fails to encode special characters from user provided data after the #
in the URL. The vulnerability exists in the getHashtag
function of js/jquery.prettyPhoto.js
, allowing an attacker to inject arbitrary Javascript into a victimβs browser.