CVE-2009-4174

Name of the Vulnerable Software and Affected Versions CuteNews versions 1.4.6 and prior to 8b (UTF-8 CuteNews)

Description The issue allows remote authenticated users with certain access levels to bypass moderation and edit previously submitted articles. This is achieved by modifying the id parameter in a "doeditnews" action when a specific PHP setting, magic quotes gpc, is disabled.

Recommendations For CuteNews version 1.4.6, consider disabling the doeditnews action for users with Journalist or Editor access until a patch is available. For UTF-8 CuteNews prior to version 8b, restrict access to the editnews module to minimize the risk of exploitation.