CVE-2014-8706

MEDIUM

Pluck CMS 4.7.2 - Info Disclosure

Title source: llm

Description

Pluck CMS 4.7.2 allows remote attackers to obtain sensitive information by (1) changing "PHPSESSID" to an array; (2) adding non-alphanumeric chars to "PHPSESSID"; (3) changing the image parameter to an array; or (4) changing the image parameter to a string, which reveals the installation path in an error message.

References (2)

[Third Party Advisory] http://rossmarks.uk/portfolio.php

[Exploit] http://rossmarks.uk/whitepapers/pluck_cms_4.7.txt

Scores

CVSS v3 5.3

EPSS 0.0024

EPSS Percentile 47.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (2)

pluck-cms/pluck

n/a/n/a

Timeline

Published Mar 17, 2017

Tracked Since Feb 18, 2026