Direct static code injection vulnerability in the flood protection feature in inc/shows.inc.php in CuteNews 1.4.0 and earlier allows remote attackers to execute arbitrary PHP code via the HTTP_CLIENT_IP header (Client-Ip), which is injected into data/flood.db.php.
References
Link | Resource |
---|---|
http://securityreason.com/securityalert/14 | |
http://www.securityfocus.com/archive/1/411057 | Exploit |
http://www.securityfocus.com/bid/14869 | Exploit |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2005-09-21T04:00:00
Updated: 2006-01-11T10:00:00
Reserved: 2005-09-21T00:00:00
Link: CVE-2005-3010
JSON object: View
NVD Information
Status : Analyzed
Published: 2005-09-21T20:03:00.000
Modified: 2008-09-05T20:53:13.377
Link: CVE-2005-3010
JSON object: View
Redhat Information
No data.
CWE