CuteNews 1.4.0 and Earlier: Direct Static Code Injection Vulnerability in Flood Protection Feature

CVE-2005-3010 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

Direct static code injection vulnerability in the flood protection feature in inc/shows.inc.php in CuteNews 1.4.0 and earlier allows remote attackers to execute arbitrary PHP code via the HTTP_CLIENT_IP header (Client-Ip), which is injected into data/flood.db.php.

Learn more about our Web Application Penetration Testing UK.