Bas S

3 exploits Active since May 2018
CVE-2018-11330 WRITEUP MEDIUM WRITEUP
Pluck < 4.7.6 - Authenticated Stored Cross-Site Scripting via Filename
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
CVSS 4.8
CVE-2018-11331 WRITEUP CRITICAL WRITEUP
Pluck < 4.7.6 - Remote Code Execution via Unrestricted File Upload
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
CVSS 9.8
CVE-2019-1010062 WRITEUP CRITICAL WRITEUP
PluckCMS <4.7.4 - Unrestricted Upload of File with Dangerous Type
PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871bf633973cfd9fc4fe59d4a912397cf8.
CVSS 9.8