CVEブラウザに戻る

CVE-2005-3010

HIGH

7.5

CVSS Severity Score

EPSS Score0.0250%

EPSS Percentile37.28th

Published2005年9月21日

Last Modified2026年4月16日

Vulnerability Description

Direct static code injection vulnerability in the flood protection feature in inc/shows.inc.php in CuteNews 1.4.0 and earlier allows remote attackers to execute arbitrary PHP code via the HTTP_CLIENT_IP header (Client-Ip), which is injected into data/flood.db.php.

Affected Platforms (CPE)

📦

Cutephp

Cutenews

<= 1.4.0

References & Advisories

🔗 http://securityreason.com/securityalert/14

🔗 http://www.securityfocus.com/archive/1/411057

🔗 http://www.securityfocus.com/bid/14869

🔗 http://securityreason.com/securityalert/14

🔗 http://www.securityfocus.com/archive/1/411057

🔗 http://www.securityfocus.com/bid/14869

関連する脆弱性情報

CVE-2019-114478.8

An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the ...

CVE-2020-55588.8

CuteNews 2.0.1 allows remote authenticated attackers to execute arbitrary PHP code via unspecified vectors.

CVE-2003-12407.5

PHP remote file inclusion vulnerability in CuteNews 0.88 allows remote attackers to execute arbitrary PHP code via a URL in the cu...

CVE-2004-16607.5

PHP remote file inclusion vulnerability in CuteNews 1.3.6 and earlier allows remote attackers to execute arbitrary PHP code via th...