CVE-2018-11331

Published: May 21, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.

Affected (1)

Products: Pluck Cms: Pluck

Pluck Cms

1 product

Pluck

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pluck Cms Pluck	Before 4.7.6

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://github.com/pluck-cms/pluck/commit/8f6541e60c9435e82e9c531a20cb3c218d36976e

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/pluck-cms/pluck/issues/58

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://github.com/pluck-cms/pluck/commit/8f6541e60c9435e82e9c531a20cb3c218d36976e

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/pluck-cms/pluck/issues/58

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

Timeline

No history available yet.