[KAPDA::#30] - CuteNews1.4.1 Cross_Site_Scripting Vulnerability KAPDA New advisory Vulnerable products : CuteNews1.4.1 Vendor: www.cutephp.com Risk: Low Vulnerabilities: Cross_Site_Scripting Discoverd by Roozbeh Afrasiabi and imei addmimistrator roozbeh_afrasiabi[at]yahoo[dot]com www.kapda.ir www.persiax.com Date : -------------------- Found : N/A Vendor Contacted : N/A About : -------------------- "Cute news is a powerful and easy for using news management system that use flat files to store its database. It supports comments, archives, search function, image uploading,backup function, IP banning, flood protection ..." (from cutephp.org) Vulnerability: -------------------- Cross_Site_Scripting : CuteNews is affected by a cross-site scripting vulnerability.This issue is due to the failure of the application to properly sanitize user- supplied input. As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed. Detail and PoC : -------------------- please view original advisory for more info Solution : -------------------- N/A Original Advisory : -------------------- http://kapda.ir/advisory-277.html Credit : -------------------- Discoverd by Roozbeh Afrasiabi and imei addmimistrator roozbeh_afrasiabi (at) yahoo (dot) com [email concealed] Kapda Security Science Researchers Insitute www.kapda.ir www.persiax.com