Cutenews Multiple Input Validation Vulnerabilities
BID:21233
Info
Cutenews Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 21233 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 21 2006 12:00AM |
| Updated: | Nov 24 2006 05:35PM |
| Credit: | alireza hassani is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
CutePHP CuteNews 1.4.5 |
| Not Vulnerable: | |
Discussion
Cutenews Multiple Input Validation Vulnerabilities
CuteNews is prone to multiple input-validation vulnerabilities, including an HTML-injection vulnerability, cross-site scripting vulnerabilities, and information-disclosure vulnerabilities.
An attacker could exploit these issues to view sensitive information or to have arbitrary script code execute in the context of the affected site, which may allow the attacker to steal cookie-based authentication credentials or change the way the site is rendered to the user. Data gained could aid in further attacks.
CuteNews 1.4.5 is vulnerable.
CuteNews is prone to multiple input-validation vulnerabilities, including an HTML-injection vulnerability, cross-site scripting vulnerabilities, and information-disclosure vulnerabilities.
An attacker could exploit these issues to view sensitive information or to have arbitrary script code execute in the context of the affected site, which may allow the attacker to steal cookie-based authentication credentials or change the way the site is rendered to the user. Data gained could aid in further attacks.
CuteNews 1.4.5 is vulnerable.
Exploit / POC
Cutenews Multiple Input Validation Vulnerabilities
An attacker can exploit these issues via a web client. To exploit the cross-site scripting vulnerabilities, the attacker must entice an unsuspecting user to follow a malicious URI.
The following proof-of-concept URIs are available:
An attacker can exploit these issues via a web client. To exploit the cross-site scripting vulnerabilities, the attacker must entice an unsuspecting user to follow a malicious URI.
The following proof-of-concept URIs are available:
Solution / Fix
Cutenews Multiple Input Validation Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].
References
Cutenews Multiple Input Validation Vulnerabilities
References:
References:
- CuteNews Homepage (Cutephp)
- [KAPDA]::Security analysis of cutenews 1.4.5 (alireza hassani