BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

CuteFlow Multiple Vulnerabilities

Disclosed July 1, 2013    Zeroday : 536 days

Vulnerability Description:

CuteFlow contains multiple vulnerabilities, including Arbitrary File Upload, SQL Injection, Arbitrarily Adding Users, and Cross Site Scripting (XSS). An attacker may use these vulnerabilities to compromise a CuteFlow installation.

Vendors:

CuteFlow

Vulnerable Software/Devices:

CuteFlow 2.11.2 and possibly earlier versions

Vulnerability Severity:

Medium

Exploit Availability:

Publicly Available

Exploit Impact:

Arbitrary File Upload, Cross-Site Scripting, Security Bypass, SQL Injection
Arbitrary File Upload
Attackers may be able to upload files and execute them arbitrarily.

SQL Injection
Attackers are able to disclose sensitive information through specially crafted input which is not sanitized. The SQL database then runs whatever attacker-provided query is given to it, and relaying it to the attacker.

Security Bypass
Attackers can arbitrarily add users through writeuser.php.

Cross Site Scripting
Attackers may run specially crafted script through unsanitized inputs, possibly allowing for information disclosure.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
  • 30622 - CuteFlow Multiple Vulnerabilities (20120727) (Zero-Day) 

Mitigation:

No mitigations currently available.

Links:

CVE(s):

None