CVE: CVE-2005-1876

Export to Word

Direct code injection vulnerability in CuteNews 1.3.6 and earlier allows remote attackers with administrative privileges to execute arbitrary PHP code via certain inputs that are injected into a template (.tpl) file.

Threat-Mapped Scoring

Score: 0.0

Priority: Unclassified

EPSS

Score: 0.0074
Percentile: 0.71947

CVSS Scoring

CVSS v3.1 Score: 4.5

Severity: MEDIUM

Mapped CWE(s)

CWE-94 : Improper Control of Generation of Code ('Code Injection')

All CAPEC(s)

CAPEC-242: Code Injection
CAPEC-35: Leverage Executable Code in Non-Executable Files
CAPEC-77: Manipulating User-Controlled Variables

CAPEC(s) with Mapped TTPs

CAPEC-35: Leverage Executable Code in Non-Executable Files
Mapped TTPs:
- T1027.006 : HTML Smuggling
- T1027.009 : Embedded Payloads
- T1564.009 : Resource Forking

Mapped ATT&CK TTPs

T1027.006 : HTML Smuggling
Kill Chain: defense-evasion
T1027.009 : Embedded Payloads
Kill Chain: defense-evasion
T1564.009 : Resource Forking
Kill Chain: defense-evasion

Malware

APTs Threat Group Associations

Campaigns

C0021

Affected Products

cpe:2.3:a:cutephp:cutenews:*:*:*:*:*:*:*:*

← Back to Home