Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Pluck
(Pluck\-Cms)| Repositories | https://github.com/pluck-cms/pluck |
| #Vulnerabilities | 42 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-05-17 | CVE-2020-18198 | Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images." | Pluck | 8.8 | ||
| 2021-05-18 | CVE-2020-24740 | An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage | Pluck | 4.3 | ||
| 2019-02-23 | CVE-2019-9052 | An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=deleteimage&var1= URI. | Pluck | 6.5 | ||
| 2019-02-23 | CVE-2019-9051 | An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles via a /admin.php?action=deletepage&var1= URI. | Pluck | 6.5 | ||
| 2019-02-23 | CVE-2019-9050 | An issue was discovered in Pluck 4.7.9-dev1. It allows administrators to execute arbitrary code by using action=installmodule to upload a ZIP archive, which is then extracted and executed. | Pluck | 7.2 | ||
| 2019-02-23 | CVE-2019-9049 | An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete modules via a /admin.php?action=module_delete&var1= URI. | Pluck | 6.5 | ||
| 2019-02-23 | CVE-2019-9048 | An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme (aka topic) via a /admin.php?action=theme_delete&var1= URI. | Pluck | 6.5 | ||
| 2019-04-19 | CVE-2019-11344 | data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies SetHandler x-httpd-php for a .txt file, because only certain PHP-related filename extensions are blocked. | Pluck | 9.8 | ||
| 2018-02-18 | CVE-2018-7197 | An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to inject arbitrary web script or HTML into admin/blog Reaction Comments via a crafted URL. | Pluck | 6.1 | ||
| 2018-09-12 | CVE-2018-16729 | Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under admin.php?action=files. | Pluck | 5.4 |