CVE-2009-4250
Last modified
CVE-2009-4250 is a vulnerability of currently unknown severity. Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allow remote attackers to inject arbitrary web script or HTML via (1) the result parameter to register.php; (2) the user parameter to search.php; the (3) cat_msg, (4) source_msg, (5) postponed_selected, (6) unapproved_selected, and (7) news_per_page parameters in a list action to the editnews module of index.php; and (8) the link tag in news comments. NOTE: some of the vulnerabilities require register_globals to be enabled and/or magic_quotes_gpc to be disabled.. EPSS estimates a 1.98% chance of exploitation in the next 30 days.
Description
Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allow remote attackers to inject arbitrary web script or HTML via (1) the result parameter to register.php; (2) the user parameter to search.php; the (3) cat_msg, (4) source_msg, (5) postponed_selected, (6) unapproved_selected, and (7) news_per_page parameters in a list action to the editnews module of index.php; and (8) the link tag in news comments. NOTE: some of the vulnerabilities require register_globals to be enabled and/or magic_quotes_gpc to be disabled.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Cutephp | Cutenews | 1.4.6 |
| Korn19 | Utf-8 Cutenews | <= 8 |
| Korn19 | Utf-8 Cutenews | 2 |
| Korn19 | Utf-8 Cutenews | 3 |
| Korn19 | Utf-8 Cutenews | 4 |
| Korn19 | Utf-8 Cutenews | 5 |
| Korn19 | Utf-8 Cutenews | 6 |
| Korn19 | Utf-8 Cutenews | 7 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2009-4250?
How severe is CVE-2009-4250?
How do I fix CVE-2009-4250?
Are you affected by CVE-2009-4250?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST