CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-7197
https://notcve.org/view.php?id=CVE-2018-7197
An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to inject arbitrary web script or HTML into admin/blog Reaction Comments via a crafted URL. Se ha descubierto un problema hasta la versión 4.7.4 de Pluck. Una vulnerabilidad de Cross-Site Scripting (XSS) persistente permite que usuarios remotos no autenticados inyecten scripts web o HTML arbitrarios en comentarios de reacción en admin/blog mediante una URL manipulada. • https://github.com/Alyssa-o-Herrera/CVE-2018-7197 https://github.com/pluck-cms/pluck/issues/47 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 3%CPEs: 1EXPL: 2CVE-2009-1765 – Pluck CMS 4.6.2 - 'langpref' Local File Inclusion
https://notcve.org/view.php?id=CVE-2009-1765
Multiple directory traversal vulnerabilities in pluck 4.6.2, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the langpref parameter to (1) data/modules/contactform/module_info.php, (2) data/modules/blog/module_info.php, and (3) data/modules/albums/module_info.php, different vectors than CVE-2008-3194. Múltiples vulnerabilidades de salto de directorio en pluck v4.6.2, permite a atacantes remotos crear y ejecutar archivos de su elección a través de un .. (punto punto) en el parámtro langpref sobre (1) data/modules/contactform/module_info.php, (2) data/modules/blog/module_info.php, y (3) data/modules/albums/module_info.php, es un vector distinto a CVE-2008-3194. • https://www.exploit-db.com/exploits/8715 http://secunia.com/advisories/35145 http://www.securityfocus.com/bid/35007 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •