CVE-2009-4249

Name of the Vulnerable Software and Affected Versions CuteNews version 1.4.6

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can occur through the lastusername and mod parameters to "index.php", and the title parameter to "search.php", when register globals is enabled and magic quotes gpc is disabled.

Recommendations For CuteNews version 1.4.6, consider disabling the register globals setting and enabling magic quotes gpc to mitigate the risk of exploitation. Additionally, restrict access to the index.php and search.php files to minimize the risk of XSS attacks. Avoid using the lastusername, mod, and title parameters in the affected API endpoints until the issue is resolved.