CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-9052
https://notcve.org/view.php?id=CVE-2019-9052
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=deleteimage&var1= URI. Se ha descubierto un problema en Pluck 4.7.9-dev1. Hay una vulnerabilidad Cross-Site Request Forgery (CSRF) que puede eliminar imágenes mediante un URI /admin.php? • https://github.com/pluck-cms/pluck/issues/69 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16634
https://notcve.org/view.php?id=CVE-2018-16634
Pluck v4.7.7 allows CSRF via admin.php?action=settings. Pluck v4.7.7 permite Cross-Site Request Forgery (CSRF) mediante admin.php?action=settings. • https://github.com/security-breachlock/CVE-2018-16634/blob/master/PLUCK_CSRF.pdf • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16633
https://notcve.org/view.php?id=CVE-2018-16633
Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title. Pluck v4.7.7 permite Cross-Site Scripting (XSS) mediante el título de la página en admin.php?action=editpagepage=. • https://github.com/security-breachlock/CVE-2018-16633/blob/master/PLUCK_XSS.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16729
https://notcve.org/view.php?id=CVE-2018-16729
Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under admin.php?action=files. Pluck 4.7.7 permite Cross-Site Scripting (XSS) mediante un archivo SVG que contiene Javascript en un elemento SCRIPT y se sube mediante pages->manage en admin.php?action=files. • https://github.com/pluck-cms/pluck/issues/63 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 1CVE-2018-11736
https://notcve.org/view.php?id=CVE-2018-11736
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file. Se ha descubierto un problema en Pluck en versiones anteriores a la 4.7.7-dev2. /data/inc/images.php permite que los atacantes remotos suban y ejecutan código PHP arbitrario utilizando el tipo de contenido image/jpeg para un archivo .htaccess. • https://github.com/pluck-cms/pluck/issues/61 https://github.com/pluck-cms/pluck/releases/tag/4.7.7-dev2 • CWE-434: Unrestricted Upload of File with Dangerous Type •