CuteNews 1.4.1 and possibly other versions allows remote attackers to obtain the installation path via unspecified vectors involving an invalid file path. Successful exploitation requires that the "register_globals" parameter is enabled.

Directory traversal vulnerability in inc/functions.inc.php in CuteNews 1.4.1 and possibly other versions, when register_globals is enabled, allows remote attackers to include arbitrary files via a .. (dot dot) sequence and trailing NULL (%00) byte in