Cross-Site Scripting Vulnerabilities in CutePHP CuteNews by CutePHP
CVE-2009-4249

Currently unrated

Key Information:

Vendor: CutePHP
Status: Cutenews
Vendor: CVE Published:; 10 December 2009

What is CVE-2009-4249?

Multiple cross-site scripting (XSS) vulnerabilities exist in CutePHP's CuteNews 1.4.6 when register_globals is enabled and magic_quotes_gpc is disabled. These vulnerabilities can be exploited by remote attackers to inject arbitrary web scripts or HTML. The injection points include the 'lastusername' and 'mod' parameters in index.php, as well as the 'title' parameter in search.php. Addressing these issues is critical to maintaining the security and integrity of web applications utilizing this software.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/54222

vdb-entryx_refsource_XF

https://exchange.xforce.ibmcloud.com/vulnerabilities/54220

vdb-entryx_refsource_XF

http://www.morningstarsecurity.com/advisories/MORNINGSTAR...

x_refsource_MISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2009
Vulnerability Reserved
Dec 9, 2009