OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allow remote attackers to inject arbitrary web script or HTML via (1) the result parameter to register.php; (2) the user parameter to search.php; the (3) cat_msg, (4) source_msg, (5) postponed_selected, (6) unapproved_selected, and (7) news_per_page parameters in a list action to the editnews module of index.php; and (8) the link tag in news comments. NOTE: some of the vulnerabilities require register_globals to be enabled and/or magic_quotes_gpc to be disabled.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cutephp	Cutenews
Korn19	Utf-8 Cutenews

Configuration 1 [-]

OR	cpe:2.3:a:cutephp:cutenews:1.4.6:::::::*
	cpe:2.3:a:korn19:utf-8_cutenews::::::::
	cpe:2.3:a:korn19:utf-8_cutenews:2:::::::*
	cpe:2.3:a:korn19:utf-8_cutenews:3:::::::*
	cpe:2.3:a:korn19:utf-8_cutenews:4:::::::*
	cpe:2.3:a:korn19:utf-8_cutenews:5:::::::*
	cpe:2.3:a:korn19:utf-8_cutenews:6:::::::*
	cpe:2.3:a:korn19:utf-8_cutenews:7:::::::*

No data.

References

Link	Providers
http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txt
http://www.securityfocus.com/archive/1/507782/100/0/threaded
http://www.securityfocus.com/bid/36971
https://exchange.xforce.ibmcloud.com/vulnerabilities/54221
https://exchange.xforce.ibmcloud.com/vulnerabilities/54222
https://exchange.xforce.ibmcloud.com/vulnerabilities/54223
https://exchange.xforce.ibmcloud.com/vulnerabilities/54224
https://exchange.xforce.ibmcloud.com/vulnerabilities/54237

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-12-10T00:00:00

Updated: 2024-08-07T06:54:10.323Z

Reserved: 2009-12-09T00:00:00

Link: CVE-2009-4250

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-12-10T00:30:00.250

Modified: 2024-11-21T01:09:15.040

Link: CVE-2009-4250

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-11-10T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allow remote attackers to inject arbitrary web script or HTML via (1) the result parameter to register.php; (2) the user parameter to search.php; the (3) cat_msg, (4) source_msg, (5) postponed_selected, (6) unapproved_selected, and (7) news_per_page parameters in a list action to the editnews module of index.php; and (8) the link tag in news comments. NOTE: some of the vulnerabilities require register_globals to be enabled and/or magic_quotes_gpc to be disabled."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-10T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "cutenews-title-xss(54237)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54237"}, {"name": "cutenews-newscomments-xss(54224)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54224"}, {"name": "cutenews-search-xss(54222)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54222"}, {"name": "cutenews-register-xss(54221)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54221"}, {"tags": ["x_refsource_MISC"], "url": "http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txt"}, {"name": "20091110 [MORNINGSTAR-2009-02] Multiple security issues in Cute News and UTF-8 Cute News", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/507782/100/0/threaded"}, {"name": "cutenews-editnews-xss(54223)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54223"}, {"name": "36971", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/36971"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-4250", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allow remote attackers to inject arbitrary web script or HTML via (1) the result parameter to register.php; (2) the user parameter to search.php; the (3) cat_msg, (4) source_msg, (5) postponed_selected, (6) unapproved_selected, and (7) news_per_page parameters in a list action to the editnews module of index.php; and (8) the link tag in news comments. NOTE: some of the vulnerabilities require register_globals to be enabled and/or magic_quotes_gpc to be disabled."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "cutenews-title-xss(54237)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54237"}, {"name": "cutenews-newscomments-xss(54224)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54224"}, {"name": "cutenews-search-xss(54222)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54222"}, {"name": "cutenews-register-xss(54221)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54221"}, {"name": "http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txt", "refsource": "MISC", "url": "http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txt"}, {"name": "20091110 [MORNINGSTAR-2009-02] Multiple security issues in Cute News and UTF-8 Cute News", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/507782/100/0/threaded"}, {"name": "cutenews-editnews-xss(54223)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54223"}, {"name": "36971", "refsource": "BID", "url": "http://www.securityfocus.com/bid/36971"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T06:54:10.323Z"}, "title": "CVE Program Container", "references": [{"name": "cutenews-title-xss(54237)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54237"}, {"name": "cutenews-newscomments-xss(54224)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54224"}, {"name": "cutenews-search-xss(54222)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54222"}, {"name": "cutenews-register-xss(54221)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54221"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txt"}, {"name": "20091110 [MORNINGSTAR-2009-02] Multiple security issues in Cute News and UTF-8 Cute News", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/507782/100/0/threaded"}, {"name": "cutenews-editnews-xss(54223)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54223"}, {"name": "36971", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/36971"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-4250", "datePublished": "2009-12-10T00:00:00", "dateReserved": "2009-12-09T00:00:00", "dateUpdated": "2024-08-07T06:54:10.323Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cutephp:cutenews:1.4.6:*:*:*:*:*:*:*", "matchCriteriaId": "B0DD68D7-98F3-402D-AB27-AC46E10C81B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:korn19:utf-8_cutenews:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA6C2132-F20A-44FA-877D-BE98B713FD72", "versionEndIncluding": "8", "vulnerable": true}, {"criteria": "cpe:2.3:a:korn19:utf-8_cutenews:2:*:*:*:*:*:*:*", "matchCriteriaId": "D48B180C-DCA7-44C8-A52F-91EB46A20F02", "vulnerable": true}, {"criteria": "cpe:2.3:a:korn19:utf-8_cutenews:3:*:*:*:*:*:*:*", "matchCriteriaId": "3B547C54-DE62-4322-BF1B-2F8FA15E941D", "vulnerable": true}, {"criteria": "cpe:2.3:a:korn19:utf-8_cutenews:4:*:*:*:*:*:*:*", "matchCriteriaId": "8B811F30-0F71-4E66-AC5B-EE26E2074D6F", "vulnerable": true}, {"criteria": "cpe:2.3:a:korn19:utf-8_cutenews:5:*:*:*:*:*:*:*", "matchCriteriaId": "ABB61D5F-DD1F-4707-87DD-BB8E9136A5B2", "vulnerable": true}, {"criteria": "cpe:2.3:a:korn19:utf-8_cutenews:6:*:*:*:*:*:*:*", "matchCriteriaId": "C51C8242-4A89-48C2-865E-0AB0B96FF8B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:korn19:utf-8_cutenews:7:*:*:*:*:*:*:*", "matchCriteriaId": "50DE1F0D-33B2-484D-988B-951ED69FE804", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allow remote attackers to inject arbitrary web script or HTML via (1) the result parameter to register.php; (2) the user parameter to search.php; the (3) cat_msg, (4) source_msg, (5) postponed_selected, (6) unapproved_selected, and (7) news_per_page parameters in a list action to the editnews module of index.php; and (8) the link tag in news comments. NOTE: some of the vulnerabilities require register_globals to be enabled and/or magic_quotes_gpc to be disabled."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en CutePHP CuteNews 1.4.6 y UTF-8 CuteNews en versiones anteriores a la 8b permiten a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s de los par\u00e1metros (1) \"result\" para register.php; (2) \"user\" para search.php; (3) \"cat_msg\", (4) \"source_msg\", (5) \"postponed_selected\", (6) \"unapproved_selected\" y (7) \"news_per_page\" en una acci\u00f3n list a el m\u00f3dulo editnews de index.php; y (8) la etiqueta de enlace en comentarios de noticias. NOTA: algunas de estas vulnerabilidades requieren que register_globals est\u00e9 habilitado y/o magic_quotes_gpc estar deshabilitado."}], "id": "CVE-2009-4250", "lastModified": "2024-11-21T01:09:15.040", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2009-12-10T00:30:00.250", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txt"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/507782/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/36971"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54221"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54222"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54223"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54224"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54237"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/507782/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/36971"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54221"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54222"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54223"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54224"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54237"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}