cbcvebase.
CVE-2019-11447
published 2019-04-22

CVE-2019-11447: An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the…

PriorityP185high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
52.90%
98.8th percentile
An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)

Affected

1 ranges
VendorProductVersion rangeFixed in
cutephpcutenews

Detection & IOCsextracted from sources · hover to see the quote

path/core/modules/dashboard.php
url/CuteNews/cdata/users/lines
url/CuteNews/index.php?register
path/CuteNews/uploads/avatar_{logged_user}_{logged_user}.php
path/CuteNews/uploads/avatar_{USERNAME}_{shell}.php
bytes
GIF8;
bytes
GIF
  • Detect multipart POST to index.php containing avatar_file field with a PHP filename and a GIF magic-byte header prefix — this is the core upload bypass technique.
  • Alert on HTTP GET or POST requests to /CuteNews/uploads/avatar_*.php — successful exploitation results in a PHP webshell accessible at this path.
  • Monitor POST requests to index.php?mod=main&opt=personal with a multipart body containing a .php filename in the avatar_file part — indicates active exploitation attempt.
  • Watch for rapid sequential registration followed by profile update (avatar upload) from the same session/IP — the exploit registers a throwaway user then immediately uploads the webshell.
  • Detect unauthenticated or newly-registered user access to /CuteNews/cdata/users/lines — the exploit harvests SHA-256 password hashes from this endpoint.
  • Flag POST requests to index.php with action=register followed by a regemail matching the pattern *@hack.me — used by the public PoC exploit.
  • Inspect uploaded image files in the avatar directory for GIF magic bytes (GIF8;) prepended to PHP code — the bypass relies on this header to pass the imgsize check.
  • ·The vulnerable code path is in /core/modules/dashboard.php where $imgsize is not properly controlled — patching or WAF rules should target this file's avatar upload handling.
  • ·No admin privileges are required to exploit this vulnerability — any ordinary registered user can trigger the upload and achieve RCE.
  • ·The Metasploit module targets CuteNews versions strictly below 2.1.3; version detection is based on the version string in the index.php response body.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.