CVE-2009-4173

CutePHP CuteNews 1.4.6 and UTF-8 CuteNews < 8b - Cross-Site Request Forgery via Edit Users Action

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-4173. PoCs published by Andrew Horton.

AI-analyzed exploit summary The provided text is a vulnerability description for CVE-2009-4173, detailing multiple issues in CuteNews and UTF-8 CuteNews, including XSS, HTML injection, and security bypass. It does not contain functional exploit code but outlines potential attack vectors and impacts.

Description

Cross-site request forgery (CSRF) vulnerability in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to hijack the authentication of administrators for requests that create new users, including a new administrator, via an adduser action in the editusers module in index.php.

Exploits (2)

exploitdb WRITEUP VERIFIED

by Andrew Horton · textwebappsphp

https://www.exploit-db.com/exploits/33344

View Code ZIP pw:eip

The provided text is a vulnerability description for CVE-2009-4173, detailing multiple issues in CuteNews and UTF-8 CuteNews, including XSS, HTML injection, and security bypass. It does not contain functional exploit code but outlines potential attack vectors and impacts.

Classification

Writeup 90%

Attack Type

Xss | Info Leak | Auth Bypass

Complexity

Moderate

Reliability

Theoretical

Target: CuteNews and UTF-8 CuteNews

Auth required

Prerequisites: Administrator privileges for some exploits · Access to the target application

MITRE ATT&CK

T1059.007 - JavaScript T1592 - Gather Victim Host Information T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/10002

View Code ZIP pw:eip

This is a detailed security advisory from MorningStar Security describing multiple vulnerabilities in Cute News and UTF-8 Cute News, including XSS, CSRF, LFI, and command injection. It provides technical descriptions, proof-of-concept exploits, and mitigation recommendations.

Classification

Writeup 100%

Attack Type

Xss | Csrf | Lfi | Auth Bypass | Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Cute News 1.4.6, UTF-8 Cute News

No auth needed

Prerequisites: Register globals enabled · Magic quotes disabled · User registration allowed (for some exploits)

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit x_refsource_misc

http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txt

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/54240

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/507782/100/0/threaded

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/36971

Scores

EPSS 0.0103

EPSS Percentile 59.1%

Details

CWE

CWE-352

Status published

Products (2)

cutephp/cutenews 1.4.6

korn19/utf-8_cutenews 8

Published Dec 02, 2009

Tracked Since Feb 18, 2026