Main Vulnerability Database Exploits ID:6898 - Exploit for Arbitrary file upload in CuteNews - CVE-2019-11447

ID:6898 - Exploit for Arbitrary file upload in CuteNews - CVE-2019-11447

Published: October 18, 2021

Vulnerability identifier: #VU35981

Vulnerability risk: High

CVE-ID: CVE-2019-11447

CWE-ID: CWE-434

Exploitation vector: Remote access

Vulnerable software:
CuteNews

Link to public exploit:

https://github.com/iainr/CuteNewsRCE

Vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)

Remediation

Install update from vendor's website.

ID:6898 - Exploit for Arbitrary file upload in CuteNews - CVE-2019-11447

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human