CuteNews1.4.1 Cross_Site_Scripting Vulnerability

2006.03.05
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[KAPDA::#30] - CuteNews1.4.1 Cross_Site_Scripting Vulnerability KAPDA New advisory Vulnerable products : CuteNews1.4.1 Vendor: www.cutephp.com Risk: Low Vulnerabilities: Cross_Site_Scripting Discoverd by Roozbeh Afrasiabi and imei addmimistrator roozbeh_afrasiabi[at]yahoo[dot]com www.kapda.ir www.persiax.com Date : -------------------- Found : N/A Vendor Contacted : N/A About : -------------------- "Cute news is a powerful and easy for using news management system that use flat files to store its database. It supports comments, archives, search function, image uploading,backup function, IP banning, flood protection ..." (from cutephp.org) Vulnerability: -------------------- Cross_Site_Scripting : CuteNews is affected by a cross-site scripting vulnerability.This issue is due to the failure of the application to properly sanitize user- supplied input. As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed. Detail and PoC : -------------------- please view original advisory for more info Solution : -------------------- N/A Original Advisory : -------------------- http://kapda.ir/advisory-277.html Credit : -------------------- Discoverd by Roozbeh Afrasiabi and imei addmimistrator roozbeh_afrasiabi (at) yahoo (dot) com [email concealed] Kapda Security Science Researchers Insitute www.kapda.ir www.persiax.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top