CuteFlow contains multiple vulnerabilities, including Arbitrary File Upload, SQL Injection, Arbitrarily Adding Users, and Cross Site Scripting (XSS). An attacker may use these vulnerabilities to compromise a CuteFlow installation.
CuteFlow 2.11.2 and possibly earlier versions
Arbitrary File Upload, Cross-Site Scripting, Security Bypass, SQL Injection
Arbitrary File Upload
Attackers may be able to upload files and execute them arbitrarily.
Attackers are able to disclose sensitive information through specially crafted input which is not sanitized. The SQL database then runs whatever attacker-provided query is given to it, and relaying it to the attacker.
Attackers can arbitrarily add users through writeuser.php.
Cross Site Scripting
Attackers may run specially crafted script through unsanitized inputs, possibly allowing for information disclosure.
BeyondTrust Prevention and Detection:
- 30622 - CuteFlow Multiple Vulnerabilities (20120727) (Zero-Day)
No mitigations currently available.