CVE-2009-4175
published 2009-12-02CVE-2009-4175: CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to obtain sensitive information via an invalid date value in the from_date_day…
PriorityP413medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
2.79%
84.6th percentile
CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to obtain sensitive information via an invalid date value in the from_date_day parameter to search.php, which reveals the installation path in an error message.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cutephp | cutenews | — | — |
| korn19 | utf-8_cutenews | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities
exploitdb·2009-11-10
CVE-2009-4250 CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities
CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities
---
MorningStar Security - Advisory
http://www.morningstarsecurity.com/
Multiple security issues in Cute News and UTF-8 Cute News
1. Advisory Information
Title: Multiple security issues in Cute News and UTF-8 Cute News
Advisory ID: MORNINGSTAR-2009-02
Advisory URL: http://www.morningstarsecurity.com/advisories/
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
Class: Cross Site Request Forgery, Cross Site Scripting, File Path Disclosure, Local File Inclusion, Authentication Bypass and PHP Command Injection
Remotely Exploitable: Yes
Locally Exploitable: No
3. Vulnerability Description
Cute News is a powerful and easy to use news management system that uses flat files to store its database. It suppo
Exploit-DB
CuteNews 1.4.6 - 'from_date_day' Full Path Disclosure
exploitdb·2009-11-10
CVE-2009-4175 CuteNews 1.4.6 - 'from_date_day' Full Path Disclosure
CuteNews 1.4.6 - 'from_date_day' Full Path Disclosure
---
source: https://www.securityfocus.com/bid/36971/info
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
Note that exploits for some of the issues may require administrator privilege.
Successful exploits may allow attackers to:
- obtain sensitive information
- gain unauthorized access to the affected application
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- hijack user sessions
- execute arbitrary commands in the context of the webserver process
A successful attack will compromise the application and may aid in further attacks.
No writeups or analysis indexed.
http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txthttp://www.securityfocus.com/archive/1/507782/100/0/threadedhttp://www.securityfocus.com/bid/36971https://exchange.xforce.ibmcloud.com/vulnerabilities/54235http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txthttp://www.securityfocus.com/archive/1/507782/100/0/threadedhttp://www.securityfocus.com/bid/36971https://exchange.xforce.ibmcloud.com/vulnerabilities/54235
2009-12-02
Published