PT-2005-1688 · Cutenews · Cutenews

Published

2005-03-04

Updated

2016-10-18

CVE-2005-0645

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions cuteNews version 1.3.6

Description The issue allows remote attackers to inject arbitrary HTML, web script, and PHP code via the CLIENT-IP or X-FORWARDED-FOR header in an HTTP POST request to "show news.php". This is a cross-site scripting (XSS) issue.

Recommendations For cuteNews version 1.3.6, consider restricting access to the show news.php endpoint until a patch is available, and avoid using the CLIENT-IP or X-FORWARDED-FOR header in HTTP POST requests to this endpoint.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2005-0645

Affected Products

Cutenews

PT-2005-1688 · Cutenews · Cutenews

CVE-2005-0645

Related Identifiers

Affected Products

References · 3