CVE-2009-4250
published 2009-12-10CVE-2009-4250: Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allow remote attackers to inject arbitrary web…
PriorityP420medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.98%
78.0th percentile
Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allow remote attackers to inject arbitrary web script or HTML via (1) the result parameter to register.php; (2) the user parameter to search.php; the (3) cat_msg, (4) source_msg, (5) postponed_selected, (6) unapproved_selected, and (7) news_per_page parameters in a list action to the editnews module of index.php; and (8) the link tag in news comments. NOTE: some of the vulnerabilities require register_globals to be enabled and/or magic_quotes_gpc to be disabled.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cutephp | cutenews | — | — |
| korn19 | utf-8_cutenews | <= 8 | — |
| korn19 | utf-8_cutenews | — | — |
| korn19 | utf-8_cutenews | — | — |
| korn19 | utf-8_cutenews | — | — |
| korn19 | utf-8_cutenews | — | — |
| korn19 | utf-8_cutenews | — | — |
| korn19 | utf-8_cutenews | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities
exploitdb·2009-11-10
CVE-2009-4250 CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities
CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities
---
MorningStar Security - Advisory
http://www.morningstarsecurity.com/
Multiple security issues in Cute News and UTF-8 Cute News
1. Advisory Information
Title: Multiple security issues in Cute News and UTF-8 Cute News
Advisory ID: MORNINGSTAR-2009-02
Advisory URL: http://www.morningstarsecurity.com/advisories/
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
Class: Cross Site Request Forgery, Cross Site Scripting, File Path Disclosure, Local File Inclusion, Authentication Bypass and PHP Command Injection
Remotely Exploitable: Yes
Locally Exploitable: No
3. Vulnerability Description
Cute News is a powerful and easy to use news management system that uses flat files to store its database. It suppo
Exploit-DB
CuteNews 1.4.6 - 'result' Cross-Site Scripting
exploitdb·2009-11-10
CVE-2009-4250 CuteNews 1.4.6 - 'result' Cross-Site Scripting
CuteNews 1.4.6 - 'result' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36971/info
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
Note that exploits for some of the issues may require administrator privilege.
Successful exploits may allow attackers to:
- obtain sensitive information
- gain unauthorized access to the affected application
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- hijack user sessions
- execute arbitrary commands in the context of the webserver process
A successful attack will compromise the application and may aid in further attacks.
http:/
No writeups or analysis indexed.
http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txthttp://www.securityfocus.com/archive/1/507782/100/0/threadedhttp://www.securityfocus.com/bid/36971https://exchange.xforce.ibmcloud.com/vulnerabilities/54221https://exchange.xforce.ibmcloud.com/vulnerabilities/54222https://exchange.xforce.ibmcloud.com/vulnerabilities/54223https://exchange.xforce.ibmcloud.com/vulnerabilities/54224https://exchange.xforce.ibmcloud.com/vulnerabilities/54237http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txthttp://www.securityfocus.com/archive/1/507782/100/0/threadedhttp://www.securityfocus.com/bid/36971https://exchange.xforce.ibmcloud.com/vulnerabilities/54221https://exchange.xforce.ibmcloud.com/vulnerabilities/54222https://exchange.xforce.ibmcloud.com/vulnerabilities/54223https://exchange.xforce.ibmcloud.com/vulnerabilities/54224https://exchange.xforce.ibmcloud.com/vulnerabilities/54237
2009-12-10
Published