CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9405
https://notcve.org/view.php?id=CVE-2024-9405
An incorrect limitation of a path to a restricted directory (path traversal) has been detected in Pluck CMS, affecting version 4.7.18. An unauthenticated attacker could extract sensitive information from the server via the absolute path of a file located in the same directory or subdirectory as the module, but not from recursive directories. • https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-limitation-path-restricted-directory-pluck-cms • CWE-23: Relative Path Traversal •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 4CVE-2023-50564
https://notcve.org/view.php?id=CVE-2023-50564
An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file. Una vulnerabilidad de carga de archivos arbitrarios en el componente /inc/modules_install.php de Pluck-CMS v4.7.18 permite a los atacantes ejecutar código arbitrario cargando un archivo ZIP manipulado. • https://github.com/ipuig/CVE-2023-50564 https://github.com/rwexecute/CVE-2023-50564 https://github.com/thefizzyfish/CVE-2023-50564-pluck https://github.com/SecBridge/Cms_Vuls_test/blob/main/Pluckcms/Pluck_v4.7.18_Any_File_Upload_Getshell.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5013 – Pluck CMS Installation install.php cross site scripting
https://notcve.org/view.php?id=CVE-2023-5013
A vulnerability has been found in Pluck CMS 4.7.18 and classified as problematic. This vulnerability affects unknown code of the file install.php of the component Installation Handler. The manipulation of the argument contents with the input <script>alert('xss')</script> leads to cross site scripting. The attack can be initiated remotely. The complexity of an attack is rather high. • https://github.com/Jacky-Y/vuls/blob/main/vul3.md https://vuldb.com/?ctiid.239854 https://vuldb.com/?id.239854 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •