cvedb.io
CVE-2019-11447
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2019-04-22T11:29:06.110 · Last modified 2026-06-17T02:12:54.680

Summary

An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)

Affected products

cutephp — cutenews

Does this affect you?

Add your gear to cvedb and we'll alert you only when cutephp ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.