CVE-2009-4172

CuteNews 1.4.6 and UTF-8 CuteNews 8 and 8b - Stored Cross-Site Scripting via News Article Body

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-4172. PoCs published by Andrew Horton.

AI-analyzed exploit summary This exploit demonstrates multiple XSS vulnerabilities in CuteNews and UTF-8 CuteNews by injecting malicious JavaScript via URL parameters. The PoC includes several endpoints where script tags can be injected to trigger arbitrary script execution in the context of the affected site.

Description

Cross-site scripting (XSS) vulnerability in index.php in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews 8 and 8b, when magic_quotes_gpc is disabled, allows remote attackers to inject arbitrary web script or HTML via the body of a news article in an addnews action.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Andrew Horton · textwebappsphp

https://www.exploit-db.com/exploits/33340

View Code ZIP pw:eip

This exploit demonstrates multiple XSS vulnerabilities in CuteNews and UTF-8 CuteNews by injecting malicious JavaScript via URL parameters. The PoC includes several endpoints where script tags can be injected to trigger arbitrary script execution in the context of the affected site.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: CuteNews and UTF-8 CuteNews

No auth needed

Prerequisites: Access to the target application's URL parameters

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/10002

View Code ZIP pw:eip

This is a detailed security advisory describing multiple vulnerabilities in Cute News and UTF-8 Cute News, including XSS, CSRF, LFI, and command execution. It provides technical descriptions, proof-of-concept exploits, and mitigation recommendations.

Classification

Writeup 100%

Attack Type

Xss | Csrf | Lfi | Auth Bypass | Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Cute News 1.4.6, UTF-8 Cute News (prior to UTF-8b)

No auth needed

Prerequisites: Register globals enabled · Magic quotes disabled · Victim interaction (for XSS/CSRF)

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/54225

Exploit x_refsource_misc

http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txt

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/507782/100/0/threaded

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/36971

Scores

EPSS 0.0160

EPSS Percentile 72.6%

Details

CWE

CWE-79

Status published

Products (3)

cutephp/cutenews 1.4.6

korn19/utf-8_cutenews 8

korn19/utf-8_cutenews 8b

Published Dec 02, 2009

Tracked Since Feb 18, 2026