PT-2005-4377 · Cutenews · Cutenews

Poizon

Published

2005-11-16

Updated

2016-10-18

CVE-2005-3592

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions CuteNews versions 1.4.0 and earlier

Description The issue allows remote attackers to obtain the installation path of the application by triggering an error message. This can be achieved by entering multiple ../ (dot dot slash) in the archive parameter of the "index.php" endpoint.

Recommendations For CuteNews versions 1.4.0 and earlier, consider restricting access to the archive parameter in the "index.php" endpoint until a fix is available. As a temporary workaround, avoid using the archive parameter with multiple ../ (dot dot slash) entries to minimize the risk of path disclosure.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2005-3592

Affected Products

Cutenews

PT-2005-4377 · Cutenews · Cutenews

CVE-2005-3592

Related Identifiers

Affected Products

References · 3