CVE-2009-4173
published 2009-12-02CVE-2009-4173: Cross-site request forgery (CSRF) vulnerability in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to hijack the authentication of…
PriorityP429medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
1.03%
59.3th percentile
Cross-site request forgery (CSRF) vulnerability in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to hijack the authentication of administrators for requests that create new users, including a new administrator, via an adduser action in the editusers module in index.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cutephp | cutenews | — | — |
| korn19 | utf-8_cutenews | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities
exploitdb·2009-11-10
CVE-2009-4250 CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities
CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities
---
MorningStar Security - Advisory
http://www.morningstarsecurity.com/
Multiple security issues in Cute News and UTF-8 Cute News
1. Advisory Information
Title: Multiple security issues in Cute News and UTF-8 Cute News
Advisory ID: MORNINGSTAR-2009-02
Advisory URL: http://www.morningstarsecurity.com/advisories/
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
Class: Cross Site Request Forgery, Cross Site Scripting, File Path Disclosure, Local File Inclusion, Authentication Bypass and PHP Command Injection
Remotely Exploitable: Yes
Locally Exploitable: No
3. Vulnerability Description
Cute News is a powerful and easy to use news management system that uses flat files to store its database. It suppo
Exploit-DB
CuteNews 1.4.6 - 'index.php' Cross-Site Request Forgery (New User Creation)
exploitdb·2009-11-10
CVE-2009-4173 CuteNews 1.4.6 - 'index.php' Cross-Site Request Forgery (New User Creation)
CuteNews 1.4.6 - 'index.php' Cross-Site Request Forgery (New User Creation)
---
source: https://www.securityfocus.com/bid/36971/info
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
Note that exploits for some of the issues may require administrator privilege.
Successful exploits may allow attackers to:
- obtain sensitive information
- gain unauthorized access to the affected application
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- hijack user sessions
- execute arbitrary commands in the context of the webserver process
A successful attack will compromise the application and may ai
No writeups or analysis indexed.
http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txthttp://www.securityfocus.com/archive/1/507782/100/0/threadedhttp://www.securityfocus.com/bid/36971https://exchange.xforce.ibmcloud.com/vulnerabilities/54240http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txthttp://www.securityfocus.com/archive/1/507782/100/0/threadedhttp://www.securityfocus.com/bid/36971https://exchange.xforce.ibmcloud.com/vulnerabilities/54240
2009-12-02
Published