CVE-2009-4250

Name of the Vulnerable Software and Affected Versions CuteNews versions 1.4.6 and earlier UTF-8 CuteNews version 8b and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved through various parameters, including the result parameter to "register.php", the user parameter to "search.php", and several parameters in the "editnews" module of "index.php", such as cat msg, source msg, postponed selected, unapproved selected, and news per page. Additionally, the link tag in news comments is vulnerable. Some of the vulnerabilities require specific PHP settings, such as register globals to be enabled and/or magic quotes gpc to be disabled.

Recommendations For CuteNews versions 1.4.6 and earlier, consider disabling the register.php and search.php scripts until a patch is available. For UTF-8 CuteNews version 8b and earlier, restrict access to the editnews module of index.php to minimize the risk of exploitation. Avoid using the vulnerable parameters, such as result, user, cat msg, source msg, postponed selected, unapproved selected, and news per page, in the affected scripts until the issue is resolved. As a temporary workaround, consider disabling the link tag in news comments to prevent exploitation.