PT-2008-1625 · Cutenews · Cutenews
Published
2008-01-04
·
Updated
2018-10-15
·
CVE-2007-6662
CVSS v2.0
5.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
CuteNews version 2.6
Description
A directory traversal issue exists, allowing remote attackers to read arbitrary files. This can be achieved by including a .. (dot dot) in the
file parameter. For example, an attacker could read the admin username and password hash in data/users.db.php.Recommendations
For CuteNews version 2.6, consider restricting access to the
file.php script until a patch is available. As a temporary workaround, avoid using the file parameter in the affected script to minimize the risk of exploitation.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cutenews