CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2023-25828 – Authenticate Remote Code Execution in Pluck CMS
https://notcve.org/view.php?id=CVE-2023-25828
Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are used to create collections of images that can be inserted into web pages across the site. Albums allow the upload of various filetypes, which undergo a normalization process before being available on the site. Due to lack of file extension validation, it is possible to upload a crafted JPEG payload containing an embedded PHP web-shell. An attacker may navigate to it directly to achieve RCE on the underlying web server. • https://www.synopsys.com/blogs/software-security/pluck-cms-vulnerability • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26589
https://notcve.org/view.php?id=CVE-2022-26589
A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en Pluck CMS versión v4.7.15, permite a atacantes eliminar páginas arbitrarias • https://medium.com/%40devansh3008/pluck-cms-v4-7-15-csrf-vulnerability-at-delete-page-9fff0309f9c https://owasp.org/www-community/attacks/csrf • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27432
https://notcve.org/view.php?id=CVE-2022-27432
A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en Pluck CMS versión v4.7.15, permite a atacantes cambiar la contraseña de un usuario determinado al explotar esta funcionalidad, conllevando a una toma de posesión de la cuenta • https://owasp.org/www-community/attacks/csrf https://www.exploit-db.com/exploits/50831 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-27984
https://notcve.org/view.php?id=CVE-2021-27984
In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files. En Pluck versión 4.7.15 admin background, se presenta una vulnerabilidad de ejecución de comandos remota cuando son subidos archivos • https://github.com/pluck-cms/pluck/issues/98 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-31747
https://notcve.org/view.php?id=CVE-2021-31747
Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks. Se presenta un problema de comprobación de certificados SSL en Pluck versión 4.7.15, en el archivo update_applet.php, que podría conllevar a ataques de tipo man-in-the-middle • https://github.com/pluck-cms/pluck/issues/101 • CWE-295: Improper Certificate Validation •