An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
oryginał ENCVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPluck Cms Pluck
APPPluck-Cms< 4.7.6
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCE
CWE
Powiązane podatności
CVE-2024-43042CRITICAL9.8PL ✓ten sam produkt
Pluck CMS 4.7.18 — brak ograniczenia nieudanych prób logowania (brute force)
CVE-2021-31746CRITICAL9.8ten sam produkt
Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, res...
CVE-2020-20951CRITICAL9.8ten sam produkt
In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files.
CVE-2019-11344CRITICAL9.8ten sam produkt
data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .htaccess f...
CVE-2018-11736CRITICAL9.8ten sam produkt
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and...