Cutephp: >> Cutenews >> 2.1.2 Security Vulnerabilities
An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)
CVSS Score
8.8
EPSS Score
0.716
Published
2019-04-22
Cross-site scripting (XSS) vulnerability in CuteNews allows remote attackers to inject arbitrary web script or HTML via the mod parameter to index.php.
CVSS Score
4.3
EPSS Score
0.003
Published
2005-09-21