• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

CutePHP CuteNews Flood Protection Client-IP PHP Code Injection Vulnerability

CutePHP CuteNews is prone to a vulnerability that may let remote attackers inject PHP and execute PHP code. This is due to an input validation error that lets remote users inject PHP code into a temporary file used by the flood protection feature of the application.

Exploitation could allow for remote execution of PHP code in the context of the server hosting the application.

This issue is reported to affected CuteNews 1.4.0. Other versions may also be affected.