Filtered by vendor Pluck-cms
Subscribe
Total
44 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26589 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages. | |||||
| CVE-2021-31747 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 5.8 MEDIUM | 4.8 MEDIUM |
| Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks. | |||||
| CVE-2021-31746 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arbitrary code execution. | |||||
| CVE-2021-31745 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password. | |||||
| CVE-2021-27984 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
| In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files. | |||||
| CVE-2020-24740 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage | |||||
| CVE-2020-21564 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. There is a file upload vulnerability that can cause a remote command execution via admin.php?action=files. | |||||
| CVE-2020-20951 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files. | |||||
| CVE-2020-18198 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images." | |||||
| CVE-2020-18195 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page." | |||||
| CVE-2019-9052 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=deleteimage&var1= URI. | |||||
| CVE-2019-9051 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles via a /admin.php?action=deletepage&var1= URI. | |||||
| CVE-2019-9050 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Pluck 4.7.9-dev1. It allows administrators to execute arbitrary code by using action=installmodule to upload a ZIP archive, which is then extracted and executed. | |||||
| CVE-2019-9049 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete modules via a /admin.php?action=module_delete&var1= URI. | |||||
| CVE-2019-9048 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme (aka topic) via a /admin.php?action=theme_delete&var1= URI. | |||||
| CVE-2019-11344 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies SetHandler x-httpd-php for a .txt file, because only certain PHP-related filename extensions are blocked. | |||||
| CVE-2019-1010062 | 1 Pluck-cms | 1 Pluckcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871bf633973cfd9fc4fe59d4a912397cf8. | |||||
| CVE-2018-7197 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to inject arbitrary web script or HTML into admin/blog Reaction Comments via a crafted URL. | |||||
| CVE-2018-16729 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under admin.php?action=files. | |||||
| CVE-2018-16634 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Pluck v4.7.7 allows CSRF via admin.php?action=settings. | |||||