CVE-2009-4175

CutePHP CuteNews <8b - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-4175. PoCs published by Andrew Horton.

AI-analyzed exploit summary The provided text describes multiple vulnerabilities in CuteNews and UTF-8 CuteNews, including XSS, HTML injection, and security bypass issues. It outlines potential impacts and provides a sample URL for an information disclosure or XSS attack but lacks actual exploit code.

Description

CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to obtain sensitive information via an invalid date value in the from_date_day parameter to search.php, which reveals the installation path in an error message.

Exploits (2)

exploitdb WRITEUP VERIFIED

by Andrew Horton · textwebappsphp

https://www.exploit-db.com/exploits/33341

View Code ZIP pw:eip

The provided text describes multiple vulnerabilities in CuteNews and UTF-8 CuteNews, including XSS, HTML injection, and security bypass issues. It outlines potential impacts and provides a sample URL for an information disclosure or XSS attack but lacks actual exploit code.

Classification

Writeup 90%

Attack Type

Xss | Info Leak | Auth Bypass

Complexity

Trivial

Reliability

Theoretical

Target: CuteNews and UTF-8 CuteNews (version not specified)

No auth needed

Prerequisites: Access to the target application · Potential admin privileges for some exploits

MITRE ATT&CK

T1059.007 - JavaScript T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/10002

View Code ZIP pw:eip

This advisory details multiple vulnerabilities in Cute News and UTF-8 Cute News, including XSS, CSRF, LFI, and command execution. It provides technical descriptions and proof-of-concept exploits for each vulnerability.

Classification

Writeup 100%

Attack Type

Xss | Csrf | Lfi | Auth Bypass | Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Cute News 1.4.6, UTF-8 Cute News

No auth needed

Prerequisites: Register globals enabled · Magic quotes disabled · User registration allowed

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise T1006 - Direct Volume Access

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/54235

Exploit x_refsource_misc

http://www.morningstarsecurity.com/advisories/MORNINGSTAR-2009-02-CuteNews.txt

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/507782/100/0/threaded

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/36971

Scores

EPSS 0.0278

EPSS Percentile 84.5%

Details

CWE

CWE-200

Status published

Products (2)

cutephp/cutenews 1.4.6

korn19/utf-8_cutenews 8

Published Dec 02, 2009

Tracked Since Feb 18, 2026