Cutenews
Sign in to watchby Cutephp
CVEs (35)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2009-4113 | 0.00 | — | 0.00 | Nov 30, 2009 | Static code injection vulnerability in the Categories module in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote authenticated users with application administrative privileges to inject arbitrary PHP code into data/category.db.php via the Category Access field. | ||
| CVE-2007-6662 | 0.00 | — | 0.00 | Jan 4, 2008 | Directory traversal vulnerability in file.php in CuteNews 2.6 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, as demonstrated by reading the admin username and password hash in data/users.db.php. | ||
| CVE-2007-1153 | 0.00 | — | 0.01 | Mar 2, 2007 | Multiple PHP remote file inclusion vulnerabilities in CutePHP CuteNews 1.3.6 allow remote attackers to execute arbitrary PHP code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: issue might overlap CVE-2004-1660 or CVE-2006-4445. | ||
| CVE-2006-4445 | 0.00 | — | 0.02 | Aug 29, 2006 | Multiple PHP remote file inclusion vulnerabilities in CuteNews 1.3.x allow remote attackers to execute arbitrary PHP code via a URL in the cutepath parameter to (1) show_news.php or (2) search.php. NOTE: CVE analysis as of 20060829 has not identified any scenarios in which these vectors could result in remote file inclusion | ||
| CVE-2006-3661 | 0.00 | — | 0.00 | Jul 18, 2006 | Cross-site scripting (XSS) vulnerability in Index.PHP in CuteNews 1.4.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained from third party information. | ||
| CVE-2006-2250 | 0.00 | — | 0.00 | May 9, 2006 | CuteNews 1.4.1 allows remote attackers to obtain sensitive information via a direct request to (1) /inc/show.inc.php or (2) /inc/functions.inc.php, which reveal the path in an error message. | ||
| CVE-2006-1339 | 0.00 | — | 0.02 | Mar 21, 2006 | Directory traversal vulnerability in inc/functions.inc.php in CuteNews 1.4.1 and possibly other versions, when register_globals is enabled, allows remote attackers to include arbitrary files via a .. (dot dot) sequence and trailing NULL (%00) byte in the archive parameter in an HTTP POST or COOKIE request, which bypasses a sanity check that is only applied to a GET request. | ||
| CVE-2006-1340 | 0.00 | — | 0.00 | Mar 21, 2006 | CuteNews 1.4.1 and possibly other versions allows remote attackers to obtain the installation path via unspecified vectors involving an invalid file path. | ||
| CVE-2005-3592 | 0.00 | — | 0.00 | Nov 16, 2005 | index.php CuteNews 1.4.0 and earlier allows remote attackers to obtain the path of the installation path of the application by triggering an error message, such as by entering multiple ../ (dot dot slash) in the archive parameter. | ||
| CVE-2005-3009 | 0.00 | — | 0.00 | Sep 21, 2005 | Cross-site scripting (XSS) vulnerability in CuteNews allows remote attackers to inject arbitrary web script or HTML via the mod parameter to index.php. | ||
| CVE-2005-2393 | 0.00 | — | 0.00 | Jul 27, 2005 | Cross-site scripting (XSS) vulnerability in CuteNews 1.3.6 allows remote attackers to inject arbitrary web script or HTML via (1) the lastusername parameter to index.php or (2) selected_search_arch parameter to search.php. | ||
| CVE-2005-2394 | 0.00 | — | 0.00 | Jul 27, 2005 | show_news.php in CuteNews 1.3.6 allows remote attackers to obtain the full path of the server via an invalid archive parameter. | ||
| CVE-2004-1573 | 0.00 | — | 0.00 | Dec 31, 2004 | The documentation for AJ-Fork 167 implies that users should set permissions for users.db.php to 777, which allows local users to execute arbitrary PHP code and gain privileges as the administrator. | ||
| CVE-2004-2615 | 0.00 | — | 0.00 | Dec 31, 2004 | The documentation for CuteNews 1.3.6 and possibly other versions specifies that files under cutenews/data must be manually given world-writable permissions, which allows local users to insert false news, delete news, and possibly gain privileges or have other unknown impact. | ||
| CVE-2004-1660 | 0.00 | — | 0.01 | Aug 30, 2004 | PHP remote file inclusion vulnerability in CuteNews 1.3.6 and earlier allows remote attackers to execute arbitrary PHP code via the cutepath parameter to (1) show_archives.php or (2) show_news.php. |
Page 2 of 2