Directory Traversal Vulnerabilities in CutePHP CuteNews Affecting User Access
CVE-2009-4116

Currently unrated

Key Information:

Vendor: CutePHP
Status: Cutenews
Vendor: CVE Published:; 30 November 2009

What is CVE-2009-4116?

Multiple directory traversal vulnerabilities exist in CutePHP CuteNews version 1.4.6, particularly when magic_quotes_gpc is disabled. These flaws enable authenticated users with editor or administrative access to read arbitrary files by exploiting the source parameter through the list and editnews actions within the Editnews module. Additionally, attackers may leverage the save_con[skin] parameter in the Options module to include and execute local files, posing a significant risk of remote code execution.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/54246

vdb-entryx_refsource_XF

https://exchange.xforce.ibmcloud.com/vulnerabilities/54244

vdb-entryx_refsource_XF

http://www.morningstarsecurity.com/advisories/MORNINGSTAR...

x_refsource_MISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 30, 2009
Vulnerability Reserved
Nov 30, 2009