CVE-2019-11447

Name of the Vulnerable Software and Affected Versions CutePHP CuteNews version 2.1.2

Description An issue allows an attacker to infiltrate the server through the avatar upload process in the profile area via the "index.php?mod=main&opt=personal" endpoint, by exploiting the avatar file field. The lack of effective control of $imgsize in /core/modules/dashboard.php enables an attacker to change the header content of a file, bypass controls, and potentially achieve code execution, for example, by using a GIF header.

Recommendations For CutePHP CuteNews version 2.1.2, consider disabling the avatar upload feature in the profile area until a patch is available to prevent exploitation through the avatar file field in the "index.php?mod=main&opt=personal" endpoint. Restrict access to the /core/modules/dashboard.php module to minimize the risk of exploitation related to the $imgsize variable.