CVE-2005-3010

Name of the Vulnerable Software and Affected Versions CuteNews versions 1.4.0 and earlier

Description A direct static code injection issue exists in the flood protection feature of CuteNews, allowing remote attackers to execute arbitrary PHP code. This is achieved by injecting malicious code via the HTTP CLIENT IP header, which is then inserted into data/flood.db.php.

Recommendations For CuteNews versions 1.4.0 and earlier, consider disabling the flood protection feature in inc/shows.inc.php until a patch is available to prevent exploitation. Restrict access to data/flood.db.php to minimize the risk of arbitrary PHP code execution. Avoid using the HTTP CLIENT IP header in the affected feature until the issue is resolved.