Direct static code injection vulnerability in the flood protection feature in inc/shows.inc.php in CuteNews 1.4.0 and earlier allows remote attackers to execute arbitrary PHP code via the HTTP_CLIENT_IP header (Client-Ip), which is injected into data/flood.db.php.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Cutenews | Cutephp | * | 1.4.0 (including) |