CVE-2004-0660

CuteNews 1.3.1 - Cross-Site Scripting via id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2004-0660. PoCs published by DarkBicho, Debasis Mohanty.

AI-analyzed exploit summary This exploit demonstrates an HTML injection vulnerability in CutePHP, where user-supplied input in comment posts is not sufficiently sanitized. An attacker can inject malicious HTML code via URI arguments, which may be rendered in the user's browser.

Description

Cross-site scripting (XSS) vulnerability in (1) show_archives.php, (2) show_news.php, and possibly other php files in CuteNews 1.3.1 allows remote attackers to inject arbitrary script or HTML via the id parameter.

Exploits (5)

exploitdb WORKING POC VERIFIED
by DarkBicho · textwebappsphp
https://www.exploit-db.com/exploits/24290

This exploit demonstrates an HTML injection vulnerability in CutePHP, where user-supplied input in comment posts is not sufficiently sanitized. An attacker can inject malicious HTML code via URI arguments, which may be rendered in the user's browser.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CutePHP
No auth needed
Prerequisites: Access to the target application's comment functionality
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Debasis Mohanty · textwebappsphp
https://www.exploit-db.com/exploits/24372

The provided text describes a cross-site scripting (XSS) vulnerability in CuteNews 1.3.1 due to improper sanitization of user-supplied URI input. It includes a proof-of-concept URI demonstrating the vulnerability but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: CuteNews 1.3.1
No auth needed
Prerequisites: Victim must click a malicious link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by DarkBicho · textwebappsphp
https://www.exploit-db.com/exploits/24240

The provided text describes a cross-site scripting (XSS) vulnerability in CuteNews, where the 'id' parameter in multiple scripts fails to sanitize user-supplied input, allowing execution of arbitrary HTML and script code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CuteNews (version not specified)
No auth needed
Prerequisites: A victim must click on a malicious link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by DarkBicho · textwebappsphp
https://www.exploit-db.com/exploits/24239

The provided text describes a cross-site scripting (XSS) vulnerability in CuteNews, where the 'id' parameter in multiple scripts fails to sanitize user-supplied input, allowing arbitrary script execution in the context of a victim's browser.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CuteNews (version not specified)
No auth needed
Prerequisites: Victim must follow a malicious URI link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by DarkBicho · textwebappsphp
https://www.exploit-db.com/exploits/24238

The provided text describes a cross-site scripting (XSS) vulnerability in CuteNews, where the 'id' parameter in multiple scripts fails to sanitize user-supplied input, allowing execution of arbitrary HTML and script code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CuteNews (version not specified)
No auth needed
Prerequisites: Victim must follow a malicious URI link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16525
Various Sources x_refsource_misc
http://www.swp-zone.org/archivos/advisory-06.txt
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=108844000409449&w=2

Scores

EPSS 0.0395
EPSS Percentile 89.1%

Details

Status published
Products (3)
cutephp/cutenews 0.88
cutephp/cutenews 1.3
cutephp/cutenews 1.3.1
Published Aug 06, 2004
Tracked Since Feb 18, 2026