Security Bypass in CuteNews by CutePHP for Unauthorized Article Editing
CVE-2009-4174

Currently unrated

Key Information:

Vendor: CutePHP
Status: Cutenews; Utf-8 Cutenews
Vendor: CVE Published:; 2 December 2009

What is CVE-2009-4174?

The editnews module in CuteNews versions 1.4.6 and earlier releases of UTF-8 CuteNews, when magic_quotes_gpc is disabled, suffers from a security bypass flaw. This vulnerability enables remote authenticated users, specifically those with Journalist or Editor permissions, to circumvent administrative moderation. By manipulating the id parameter during the doeditnews action, these users can directly edit previously submitted articles, leading to unauthorized alterations in the content management system.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/54236

vdb-entryx_refsource_XF

http://www.morningstarsecurity.com/advisories/MORNINGSTAR...

x_refsource_MISC

http://www.securityfocus.com/archive/1/507782/100/0/threaded

mailing-listx_refsource_BUGTRAQ

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 2, 2009
Vulnerability Reserved
Dec 2, 2009