Multiple vulnerabilities in CuteNews and UTF-8 CuteNews

vendor:

CuteNews and UTF-8 CuteNews

by:

Unknown

7.5

CVSS

HIGH

Cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues

Unknown

CWE

Product Name: CuteNews and UTF-8 CuteNews

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Unknown

CPE: Unknown

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

Multiple vulnerabilities in CuteNews and UTF-8 CuteNews

The vulnerabilities in CuteNews and UTF-8 CuteNews allow attackers to obtain sensitive information, gain unauthorized access, run arbitrary script code in the browser, hijack user sessions, and execute arbitrary commands in the context of the webserver process. Exploits for some of the issues may require administrator privilege.

Mitigation:

Unknown

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/36971/info
  
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
  
Note that exploits for some of the issues may require administrator privilege.
  
Successful exploits may allow attackers to:
- obtain sensitive information
- gain unauthorized access to the affected application
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- hijack user sessions
- execute arbitrary commands in the context of the webserver process
  
A successful attack will compromise the application and may aid in further attacks. 

http://www.example.com/test/cutenews/search.php?user=%22%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
http://www.example.com/test/cutenews/search.php?title=%22%3E%3Cscript%3Ealert(/xss/);%3C/script%3E