CVE-2009-4172
published 2009-12-02CVE-2009-4172: Cross-site scripting (XSS) vulnerability in index.php in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews 8 and 8b, when magic_quotes_gpc is disabled, allows remote…
PriorityP413low2.6CVSS 2.0
AVNACHAuNCNIPAN
EXPLOIT
EPSS
1.60%
72.7th percentile
Cross-site scripting (XSS) vulnerability in index.php in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews 8 and 8b, when magic_quotes_gpc is disabled, allows remote attackers to inject arbitrary web script or HTML via the body of a news article in an addnews action.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cutephp | cutenews | — | — |
| korn19 | utf-8_cutenews | — | — |
| korn19 | utf-8_cutenews | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities
exploitdb·2009-11-10
CVE-2009-4250 CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities
CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities
---
MorningStar Security - Advisory
http://www.morningstarsecurity.com/
Multiple security issues in Cute News and UTF-8 Cute News
1. Advisory Information
Title: Multiple security issues in Cute News and UTF-8 Cute News
Advisory ID: MORNINGSTAR-2009-02
Advisory URL: http://www.morningstarsecurity.com/advisories/
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
Class: Cross Site Request Forgery, Cross Site Scripting, File Path Disclosure, Local File Inclusion, Authentication Bypass and PHP Command Injection
Remotely Exploitable: Yes
Locally Exploitable: No
3. Vulnerability Description
Cute News is a powerful and easy to use news management system that uses flat files to store its database. It suppo
Exploit-DB
CuteNews 1.4.6 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2009-11-10
CVE-2009-4172 CuteNews 1.4.6 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities
CuteNews 1.4.6 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/36971/info
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
Note that exploits for some of the issues may require administrator privilege.
Successful exploits may allow attackers to:
- obtain sensitive information
- gain unauthorized access to the affected application
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- hijack user sessions
- execute arbitrary commands in the context of the webserver process
A successful attack will compromise the application and may aid
No writeups or analysis indexed.
http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txthttp://www.securityfocus.com/archive/1/507782/100/0/threadedhttp://www.securityfocus.com/bid/36971https://exchange.xforce.ibmcloud.com/vulnerabilities/54225http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txthttp://www.securityfocus.com/archive/1/507782/100/0/threadedhttp://www.securityfocus.com/bid/36971https://exchange.xforce.ibmcloud.com/vulnerabilities/54225
2009-12-02
Published