CVE-2009-4115

Name of the Vulnerable Software and Affected Versions CuteNews version 1.4.6

Description The issue allows remote authenticated users with administrative privileges to inject arbitrary PHP code. This can be achieved through the Categories module by injecting code into data/category.db.php via the category and Icon URL fields, or into data/ipban.php via the add ip parameter.

Recommendations For CuteNews version 1.4.6, consider disabling the Categories module until a patch is available to prevent arbitrary PHP code injection. Restrict access to the category and Icon URL fields, as well as the add ip parameter, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.