CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9405
https://notcve.org/view.php?id=CVE-2024-9405
An incorrect limitation of a path to a restricted directory (path traversal) has been detected in Pluck CMS, affecting version 4.7.18. An unauthenticated attacker could extract sensitive information from the server via the absolute path of a file located in the same directory or subdirectory as the module, but not from recursive directories. • https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-limitation-path-restricted-directory-pluck-cms • CWE-23: Relative Path Traversal •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 4CVE-2023-50564
https://notcve.org/view.php?id=CVE-2023-50564
An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file. Una vulnerabilidad de carga de archivos arbitrarios en el componente /inc/modules_install.php de Pluck-CMS v4.7.18 permite a los atacantes ejecutar código arbitrario cargando un archivo ZIP manipulado. • https://github.com/ipuig/CVE-2023-50564 https://github.com/rwexecute/CVE-2023-50564 https://github.com/thefizzyfish/CVE-2023-50564-pluck https://github.com/SecBridge/Cms_Vuls_test/blob/main/Pluckcms/Pluck_v4.7.18_Any_File_Upload_Getshell.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5013 – Pluck CMS Installation install.php cross site scripting
https://notcve.org/view.php?id=CVE-2023-5013
A vulnerability has been found in Pluck CMS 4.7.18 and classified as problematic. This vulnerability affects unknown code of the file install.php of the component Installation Handler. The manipulation of the argument contents with the input <script>alert('xss')</script> leads to cross site scripting. The attack can be initiated remotely. The complexity of an attack is rather high. • https://github.com/Jacky-Y/vuls/blob/main/vul3.md https://vuldb.com/?ctiid.239854 https://vuldb.com/?id.239854 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-27082
https://notcve.org/view.php?id=CVE-2023-27082
Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file. • https://medium.com/%40syed.pentester/authenticated-stored-cross-site-scripting-xss-d39aab69e58f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2023-27083
https://notcve.org/view.php?id=CVE-2023-27083
An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality. • https://medium.com/%40syed.pentester/authenticated-remote-code-execution-rce-on-pluckcms-4-7-15-c309ac1bd145 • CWE-434: Unrestricted Upload of File with Dangerous Type •