Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Pluck
(Pluck\-Cms)| Repositories | https://github.com/pluck-cms/pluck |
| #Vulnerabilities | 42 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-05-18 | CVE-2020-24740 | An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage | Pluck | 4.3 | ||
| 2021-12-10 | CVE-2021-31745 | Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password. | Pluck | 7.5 | ||
| 2021-12-10 | CVE-2021-31746 | Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arbitrary code execution. | Pluck | 9.8 | ||
| 2021-12-10 | CVE-2021-27984 | In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files. | Pluck | 8.1 | ||
| 2021-12-10 | CVE-2021-31747 | Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks. | Pluck | 4.8 | ||
| 2022-03-18 | CVE-2022-26965 | In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution. | Pluck | 7.2 | ||
| 2022-03-30 | CVE-2022-27432 | A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover. | Pluck | 8.8 | ||
| 2022-04-13 | CVE-2022-26589 | A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages. | Pluck | 6.5 | ||
| 2023-06-22 | CVE-2023-27083 | An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality. | Pluck | 7.2 | ||
| 2023-06-26 | CVE-2023-27082 | Cross Site Scripting (XSS) vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file. | Pluck | 4.8 |