Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CuteNews <= 1.3.6 Multiple XSS / Code Execution



The remote host is vulnerable to a Cross-Site Scripting (XSS) attack.


According to its version number, the remote host is running a version of CuteNews that allows an attacker to inject arbitrary script through the variables 'X-FORWARDED-FOR' or 'CLIENT-IP' when adding a comment. On one hand, an attacker can inject a client-side script to be executed by an administrator's browser when he/she chooses to edit the added comment. On the other, an attacker with local access could leverage this flaw to run arbitrary PHP code in the context of the web server user. Additionally, it suffers from a cross-site scripting flaw involving the 'search.php' script.


Upgrade or patch according to vendor recommendations.