cbcvebase.

Cutephp Cutenews vulnerabilities

38 known vulnerabilities affecting cutephp/cutenews.

Total CVEs
38
CISA KEV
0
Public exploits
19
Exploited in wild
1
Severity breakdown
CRITICAL1HIGH8MEDIUM25LOW4

Vulnerabilities

Page 2 of 2
CVE-2009-4113P4MEDIUMCVSS 6.5v1.4.62009-11-30
CVE-2009-4113 [MEDIUM] CWE-94 CVE-2009-4113: Static code injection vulnerability in the Categories module in CutePHP CuteNews 1.4.6 and UTF-8 Cut Static code injection vulnerability in the Categories module in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote authenticated users with application administrative privileges to inject arbitrary PHP code into data/category.db.php via the Category Access field.
nvd
CVE-2006-4445P4HIGHCVSS 7.5v1.3v1.3.1+2 more2006-08-29
CVE-2006-4445 [HIGH] CVE-2006-4445: Multiple PHP remote file inclusion vulnerabilities in CuteNews 1.3.x allow remote attackers to execu Multiple PHP remote file inclusion vulnerabilities in CuteNews 1.3.x allow remote attackers to execute arbitrary PHP code via a URL in the cutepath parameter to (1) show_news.php or (2) search.php. NOTE: CVE analysis as of 20060829 has not identified any scenarios in which these vectors could result in remote file inclusion
nvd
CVE-2009-4249P4LOWCVSS 2.6PoCv1.4.62009-12-10
CVE-2009-4249 [LOW] CWE-79 CVE-2009-4249: Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNews 1.4.6, when register_globals Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNews 1.4.6, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to inject arbitrary web script or HTML via the (1) lastusername and (2) mod parameters to index.php; and (3) the title parameter to search.php.
nvd
CVE-2007-1153P4HIGHCVSS 7.5v1.3.62007-03-02
CVE-2007-1153 [HIGH] CVE-2007-1153: Multiple PHP remote file inclusion vulnerabilities in CutePHP CuteNews 1.3.6 allow remote attackers Multiple PHP remote file inclusion vulnerabilities in CutePHP CuteNews 1.3.6 allow remote attackers to execute arbitrary PHP code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: issue might overlap CVE-2004-1660 or CVE-2006-4445.
nvd
CVE-2004-1573P4HIGHCVSS 7.2v0.88v1.3+3 more2004-12-31
CVE-2004-1573 [HIGH] CVE-2004-1573: The documentation for AJ-Fork 167 implies that users should set permissions for users.db.php to 777, The documentation for AJ-Fork 167 implies that users should set permissions for users.db.php to 777, which allows local users to execute arbitrary PHP code and gain privileges as the administrator.
nvd
CVE-2007-6662P4MEDIUMCVSS 5.8v2.62008-01-04
CVE-2007-6662 [MEDIUM] CWE-22 CVE-2007-6662: Directory traversal vulnerability in file.php in CuteNews 2.6 allows remote attackers to read arbitr Directory traversal vulnerability in file.php in CuteNews 2.6 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, as demonstrated by reading the admin username and password hash in data/users.db.php.
nvd
CVE-2006-1339P4MEDIUMCVSS 5.0≤ 1.4.12006-03-21
CVE-2006-1339 [MEDIUM] CVE-2006-1339: Directory traversal vulnerability in inc/functions.inc.php in CuteNews 1.4.1 and possibly other vers Directory traversal vulnerability in inc/functions.inc.php in CuteNews 1.4.1 and possibly other versions, when register_globals is enabled, allows remote attackers to include arbitrary files via a .. (dot dot) sequence and trailing NULL (%00) byte in the archive parameter in an HTTP POST or COOKIE request, which bypasses a sanity check that is only applied to
nvd
CVE-2005-1876P4MEDIUMCVSS 4.5≤ 1.3.62005-06-09
CVE-2005-1876 [MEDIUM] CWE-94 CVE-2005-1876: Direct code injection vulnerability in CuteNews 1.3.6 and earlier allows remote attackers with admin Direct code injection vulnerability in CuteNews 1.3.6 and earlier allows remote attackers with administrative privileges to execute arbitrary PHP code via certain inputs that are injected into a template (.tpl) file.
nvd
CVE-2020-5557P4MEDIUMCVSS 6.1v2.0.12020-03-25
CVE-2020-5557 [MEDIUM] CWE-79 CVE-2020-5557: Cross-site scripting vulnerability in CuteNews 2.0.1 allows remote attackers to inject arbitrary web Cross-site scripting vulnerability in CuteNews 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2009-4116P4LOWCVSS 3.5v1.4.62009-11-30
CVE-2009-4116 [LOW] CWE-22 CVE-2009-4116: Multiple directory traversal vulnerabilities in CutePHP CuteNews 1.4.6, when magic_quotes_gpc is dis Multiple directory traversal vulnerabilities in CutePHP CuteNews 1.4.6, when magic_quotes_gpc is disabled, allow remote authenticated users with editor or administrative application access to read arbitrary files via a .. (dot dot) in the source parameter in a (1) list or (2) editnews action to the Editnews module, and (3) the save_con[skin] parameter in
nvd
CVE-2006-1340P4MEDIUMCVSS 5.0≤ 1.4.1v0.88+5 more2006-03-21
CVE-2006-1340 [MEDIUM] CVE-2006-1340: CuteNews 1.4.1 and possibly other versions allows remote attackers to obtain the installation path v CuteNews 1.4.1 and possibly other versions allows remote attackers to obtain the installation path via unspecified vectors involving an invalid file path.
nvd
CVE-2005-3009P4MEDIUMCVSS 4.3v0.88v1.3+3 more2005-09-21
CVE-2005-3009 [MEDIUM] CVE-2005-3009: Cross-site scripting (XSS) vulnerability in CuteNews allows remote attackers to inject arbitrary web Cross-site scripting (XSS) vulnerability in CuteNews allows remote attackers to inject arbitrary web script or HTML via the mod parameter to index.php.
nvd
CVE-2005-2393P4MEDIUMCVSS 4.3v1.3.62005-07-27
CVE-2005-2393 [MEDIUM] CVE-2005-2393: Cross-site scripting (XSS) vulnerability in CuteNews 1.3.6 allows remote attackers to inject arbitra Cross-site scripting (XSS) vulnerability in CuteNews 1.3.6 allows remote attackers to inject arbitrary web script or HTML via (1) the lastusername parameter to index.php or (2) selected_search_arch parameter to search.php.
nvd
CVE-2005-2394P4MEDIUMCVSS 5.0v1.3.62005-07-27
CVE-2005-2394 [MEDIUM] CVE-2005-2394: show_news.php in CuteNews 1.3.6 allows remote attackers to obtain the full path of the server via an show_news.php in CuteNews 1.3.6 allows remote attackers to obtain the full path of the server via an invalid archive parameter.
nvd
CVE-2005-3592P4MEDIUMCVSS 5.0≤ 1.4.02005-11-16
CVE-2005-3592 [MEDIUM] CVE-2005-3592: index.php CuteNews 1.4.0 and earlier allows remote attackers to obtain the path of the installation index.php CuteNews 1.4.0 and earlier allows remote attackers to obtain the path of the installation path of the application by triggering an error message, such as by entering multiple ../ (dot dot slash) in the archive parameter.
nvd
CVE-2004-2615P4MEDIUMCVSS 4.6v1.3.62004-12-31
CVE-2004-2615 [MEDIUM] CVE-2004-2615: The documentation for CuteNews 1.3.6 and possibly other versions specifies that files under cutenews The documentation for CuteNews 1.3.6 and possibly other versions specifies that files under cutenews/data must be manually given world-writable permissions, which allows local users to insert false news, delete news, and possibly gain privileges or have other unknown impact.
nvd
CVE-2006-3661P4LOWCVSS 2.6v1.4.52006-07-18
CVE-2006-3661 [LOW] CVE-2006-3661: Cross-site scripting (XSS) vulnerability in Index.PHP in CuteNews 1.4.5 allows remote attackers to i Cross-site scripting (XSS) vulnerability in Index.PHP in CuteNews 1.4.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained from third party information.
nvd
CVE-2006-2250P4MEDIUMCVSS 6.4v1.4.12006-05-09
CVE-2006-2250 [MEDIUM] CVE-2006-2250: CuteNews 1.4.1 allows remote attackers to obtain sensitive information via a direct request to (1) / CuteNews 1.4.1 allows remote attackers to obtain sensitive information via a direct request to (1) /inc/show.inc.php or (2) /inc/functions.inc.php, which reveal the path in an error message.
nvd
Cutephp Cutenews vulnerabilities | cvebase