Flash Image Gallery suffers from a direct download vulnerability where config.xml, the file containing the username and password for the administrator, can be directly accessed by anyone remotely. Advisory is in Spanish.
e1d509b225cd3132762766b4c15a7074855e8f34043a0e3b77ff6a6d839959fd