CVE-2005-1876

MEDIUM

CuteNews < 1.3.6 - Authenticated PHP Code Injection via Template File

Title source: llm
STIX 2.1

Description

Direct code injection vulnerability in CuteNews 1.3.6 and earlier allows remote attackers with administrative privileges to execute arbitrary PHP code via certain inputs that are injected into a template (.tpl) file.

References (3)

Core 3
Core References
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/17030
Third Party Advisory mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=111773528322711&w=2
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15594

Scores

CVSS v3 4.5
EPSS 0.0058
EPSS Percentile 43.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
cutephp/cutenews < 1.3.6
Published Jun 09, 2005
Tracked Since Feb 18, 2026