The editnews module in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews prior to 8b, when magic_quotes_gpc is disabled, allows remote authenticated users with Journalist or Editor access to bypass administrative moderation and edit previously submitted articles via a modified id parameter in a doeditnews action.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
korn19 utf-8 cutenews 8 |
||
cutephp cutenews 1.4.6 |