CuteNews 'add_ip' Parameter PHP Code Injection Vulnerability

info
discussion
exploit
solution
references

CuteNews 'add_ip' Parameter PHP Code Injection Vulnerability

CuteNews is prone to a remote PHP code-injection vulnerability.

An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.

CuteNews 1.4.6 is vulnerable; other versions may also be affected.