Get the patch from Menalto Gallery.
Doesn't seem to be a nuke module version upgrade ready yet.
Menalto Gallery wrote:
Several days ago, Rafel Ivgi informed us of a possible cross site scripting (definition) problem in current versions of Gallery. The problem and some similar problems discovered by our team has been addressed in Gallery 2 CVS as well as in this release of 1.4.4-pl5.
As with most other cross site scripting problems, No risk is posed to the webserver itself or any non-Gallery data, but a Gallery install could be compromised using appropriate code.
In addition to the security fix, Gallery 1.4.4-pl5 uses the proper parameters for new versions of ImageMagick and fixes some small issues with PHP 5.
All Gallery users are strongly urged to upgrade to 1.4.4-pl5 immediately, which fixes this problem and will secure your system.
Gallery 1.4.4-pl5 can be downloaded from the Gallery Download Page.