Filtered by vendor Pluck-cms
Subscriptions
Filtered by product Pluck
Subscriptions
Total
41 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-27984 | 1 Pluck-cms | 1 Pluck | 2021-12-14 | 8.1 High |
| In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files. | ||||
| CVE-2020-21564 | 1 Pluck-cms | 1 Pluck | 2021-09-21 | 8.8 High |
| An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. There is a file upload vulnerability that can cause a remote command execution via admin.php?action=files. | ||||
| CVE-2020-24740 | 1 Pluck-cms | 1 Pluck | 2021-05-24 | 4.3 Medium |
| An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage | ||||
| CVE-2020-18198 | 1 Pluck-cms | 1 Pluck | 2021-05-24 | 8.8 High |
| Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images." | ||||
| CVE-2020-18195 | 1 Pluck-cms | 1 Pluck | 2021-05-24 | 8.8 High |
| Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page." | ||||
| CVE-2019-11344 | 1 Pluck-cms | 1 Pluck | 2019-04-22 | N/A |
| data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute arbitrary code by uploading a .htaccess file that specifies SetHandler x-httpd-php for a .txt file, because only certain PHP-related filename extensions are blocked. | ||||
| CVE-2018-16634 | 1 Pluck-cms | 1 Pluck | 2019-02-26 | N/A |
| Pluck v4.7.7 allows CSRF via admin.php?action=settings. | ||||
| CVE-2018-16633 | 1 Pluck-cms | 1 Pluck | 2019-02-26 | N/A |
| Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title. | ||||
| CVE-2019-9050 | 1 Pluck-cms | 1 Pluck | 2019-02-25 | N/A |
| An issue was discovered in Pluck 4.7.9-dev1. It allows administrators to execute arbitrary code by using action=installmodule to upload a ZIP archive, which is then extracted and executed. | ||||
| CVE-2019-9052 | 1 Pluck-cms | 1 Pluck | 2019-02-25 | N/A |
| An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=deleteimage&var1= URI. | ||||
| CVE-2019-9051 | 1 Pluck-cms | 1 Pluck | 2019-02-25 | N/A |
| An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles via a /admin.php?action=deletepage&var1= URI. | ||||
| CVE-2019-9049 | 1 Pluck-cms | 1 Pluck | 2019-02-25 | N/A |
| An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete modules via a /admin.php?action=module_delete&var1= URI. | ||||
| CVE-2019-9048 | 1 Pluck-cms | 1 Pluck | 2019-02-25 | N/A |
| An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme (aka topic) via a /admin.php?action=theme_delete&var1= URI. | ||||
| CVE-2018-16729 | 1 Pluck-cms | 1 Pluck | 2018-11-09 | N/A |
| Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under admin.php?action=files. | ||||
| CVE-2018-7197 | 1 Pluck-cms | 1 Pluck | 2018-03-05 | N/A |
| An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to inject arbitrary web script or HTML into admin/blog Reaction Comments via a crafted URL. | ||||
| CVE-2008-6253 | 1 Pluck-cms | 1 Pluck | 2017-10-11 | N/A |
| Directory traversal vulnerability in data/inc/lib/pcltar.lib.php in Pluck 4.5.3, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the g_pcltar_lib_dir parameter. | ||||
| CVE-2009-1765 | 1 Pluck-cms | 1 Pluck | 2017-09-29 | N/A |
| Multiple directory traversal vulnerabilities in pluck 4.6.2, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the langpref parameter to (1) data/modules/contactform/module_info.php, (2) data/modules/blog/module_info.php, and (3) data/modules/albums/module_info.php, different vectors than CVE-2008-3194. | ||||
| CVE-2008-6842 | 1 Pluck-cms | 1 Pluck | 2017-09-29 | N/A |
| Directory traversal vulnerability in data/modules/blog/module_pages_site.php in Pluck 4.6.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the post parameter. | ||||
| CVE-2014-8706 | 1 Pluck-cms | 1 Pluck | 2017-03-28 | N/A |
| Pluck CMS 4.7.2 allows remote attackers to obtain sensitive information by (1) changing "PHPSESSID" to an array; (2) adding non-alphanumeric chars to "PHPSESSID"; (3) changing the image parameter to an array; or (4) changing the image parameter to a string, which reveals the installation path in an error message. | ||||
| CVE-2014-8708 | 1 Pluck-cms | 1 Pluck | 2017-03-20 | N/A |
| Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via the blog form feature. | ||||