Total
39 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2007-6662 | 1 Cutephp | 1 Cutenews | 2025-04-09 | 5.8 MEDIUM | N/A |
| Directory traversal vulnerability in file.php in CuteNews 2.6 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, as demonstrated by reading the admin username and password hash in data/users.db.php. | |||||
| CVE-2009-4115 | 1 Cutephp | 1 Cutenews | 2025-04-09 | 6.5 MEDIUM | N/A |
| Multiple static code injection vulnerabilities in the Categories module in CutePHP CuteNews 1.4.6 allow remote authenticated users with application administrative privileges to inject arbitrary PHP code into data/category.db.php via the (1) category and (2) Icon URL fields; or (3) inject arbitrary PHP code into data/ipban.php via the add_ip parameter. | |||||
| CVE-2007-1153 | 1 Cutephp | 1 Cutenews | 2025-04-09 | 7.5 HIGH | N/A |
| Multiple PHP remote file inclusion vulnerabilities in CutePHP CuteNews 1.3.6 allow remote attackers to execute arbitrary PHP code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: issue might overlap CVE-2004-1660 or CVE-2006-4445. | |||||
| CVE-2009-4175 | 2 Cutephp, Korn19 | 2 Cutenews, Utf-8 Cutenews | 2025-04-09 | 5.0 MEDIUM | N/A |
| CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to obtain sensitive information via an invalid date value in the from_date_day parameter to search.php, which reveals the installation path in an error message. | |||||
| CVE-2009-4250 | 2 Cutephp, Korn19 | 2 Cutenews, Utf-8 Cutenews | 2025-04-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allow remote attackers to inject arbitrary web script or HTML via (1) the result parameter to register.php; (2) the user parameter to search.php; the (3) cat_msg, (4) source_msg, (5) postponed_selected, (6) unapproved_selected, and (7) news_per_page parameters in a list action to the editnews module of index.php; and (8) the link tag in news comments. NOTE: some of the vulnerabilities require register_globals to be enabled and/or magic_quotes_gpc to be disabled. | |||||
| CVE-2009-4116 | 1 Cutephp | 1 Cutenews | 2025-04-09 | 3.5 LOW | N/A |
| Multiple directory traversal vulnerabilities in CutePHP CuteNews 1.4.6, when magic_quotes_gpc is disabled, allow remote authenticated users with editor or administrative application access to read arbitrary files via a .. (dot dot) in the source parameter in a (1) list or (2) editnews action to the Editnews module, and (3) the save_con[skin] parameter in the Options module. NOTE: vector 3 can be leveraged for code execution by using a .. to include and execute arbitrary local files. | |||||
| CVE-2006-6300 | 1 Cutephp | 1 Cutenews | 2025-04-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in CuteNews 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the result parameter. | |||||
| CVE-2008-4557 | 1 Cutephp | 1 Cutenews | 2025-04-09 | 10.0 HIGH | N/A |
| plugins/wacko/highlight/html.php in Strawberry in CuteNews.ru 1.1.1 (aka Strawberry) allows remote attackers to execute arbitrary PHP code via the text parameter, which is inserted into an executable regular expression. | |||||
| CVE-2009-4249 | 1 Cutephp | 1 Cutenews | 2025-04-09 | 2.6 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNews 1.4.6, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to inject arbitrary web script or HTML via the (1) lastusername and (2) mod parameters to index.php; and (3) the title parameter to search.php. | |||||
| CVE-2009-4172 | 2 Cutephp, Korn19 | 2 Cutenews, Utf-8 Cutenews | 2025-04-09 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews 8 and 8b, when magic_quotes_gpc is disabled, allows remote attackers to inject arbitrary web script or HTML via the body of a news article in an addnews action. | |||||
| CVE-2009-4174 | 2 Cutephp, Korn19 | 2 Cutenews, Utf-8 Cutenews | 2025-04-09 | 6.0 MEDIUM | N/A |
| The editnews module in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b, when magic_quotes_gpc is disabled, allows remote authenticated users with Journalist or Editor access to bypass administrative moderation and edit previously submitted articles via a modified id parameter in a doeditnews action. | |||||
| CVE-2009-4173 | 2 Cutephp, Korn19 | 2 Cutenews, Utf-8 Cutenews | 2025-04-09 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to hijack the authentication of administrators for requests that create new users, including a new administrator, via an adduser action in the editusers module in index.php. | |||||
| CVE-2009-4113 | 2 Cutephp, Korn19 | 2 Cutenews, Utf-8 Cutenews | 2025-04-09 | 6.5 MEDIUM | N/A |
| Static code injection vulnerability in the Categories module in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote authenticated users with application administrative privileges to inject arbitrary PHP code into data/category.db.php via the Category Access field. | |||||
| CVE-2004-2615 | 1 Cutephp | 1 Cutenews | 2025-04-03 | 4.6 MEDIUM | N/A |
| The documentation for CuteNews 1.3.6 and possibly other versions specifies that files under cutenews/data must be manually given world-writable permissions, which allows local users to insert false news, delete news, and possibly gain privileges or have other unknown impact. | |||||
| CVE-2004-1573 | 2 Aj-fork, Cutephp | 2 Aj-fork, Cutenews | 2025-04-03 | 7.2 HIGH | N/A |
| The documentation for AJ-Fork 167 implies that users should set permissions for users.db.php to 777, which allows local users to execute arbitrary PHP code and gain privileges as the administrator. | |||||
| CVE-2005-1876 | 1 Cutephp | 1 Cutenews | 2025-04-03 | 4.4 MEDIUM | 4.5 MEDIUM |
| Direct code injection vulnerability in CuteNews 1.3.6 and earlier allows remote attackers with administrative privileges to execute arbitrary PHP code via certain inputs that are injected into a template (.tpl) file. | |||||
| CVE-2005-0645 | 1 Cutephp | 1 Cutenews | 2025-04-03 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in show.inc.php in cuteNews 1.3.6 allows remote attackers to inject arbitrary HTML, web script, and PHP code via the (1) CLIENT-IP or (2) X-FORWARDED-FOR header in an HTTP POST request to show_news.php. | |||||
| CVE-2005-3592 | 1 Cutephp | 1 Cutenews | 2025-04-03 | 5.0 MEDIUM | N/A |
| index.php CuteNews 1.4.0 and earlier allows remote attackers to obtain the path of the installation path of the application by triggering an error message, such as by entering multiple ../ (dot dot slash) in the archive parameter. | |||||
| CVE-2006-0885 | 1 Cutephp | 1 Cutenews | 2025-04-03 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in show_news.php in CuteNews 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the show parameter. | |||||
| CVE-2005-3010 | 1 Cutephp | 1 Cutenews | 2025-04-03 | 7.5 HIGH | N/A |
| Direct static code injection vulnerability in the flood protection feature in inc/shows.inc.php in CuteNews 1.4.0 and earlier allows remote attackers to execute arbitrary PHP code via the HTTP_CLIENT_IP header (Client-Ip), which is injected into data/flood.db.php. | |||||