PT-2009-6340 · Cutenews · Cutenews
Published
2009-12-02
·
Updated
2018-10-10
·
CVE-2009-4172
CVSS v2.0
2.6
Low
| Vector | AV:N/AC:H/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
CuteNews versions 1.4.6, 8, and 8b
Description
A cross-site scripting (XSS) issue exists due to the lack of proper input validation in the
body of a news article when the addnews action is performed. This occurs when magic quotes gpc is disabled, allowing remote attackers to inject arbitrary web script or HTML.Recommendations
For CuteNews versions 1.4.6, 8, and 8b, consider disabling the
addnews action or restricting access to it until a proper fix is applied, and ensure that magic quotes gpc is enabled to mitigate the risk of exploitation.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cutenews