Vulnerability Details : CVE-2018-11331
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
Products affected by CVE-2018-11331
- cpe:2.3:a:pluck-cms:pluck:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-11331
0.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-11331
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-11331
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-11331
-
https://github.com/pluck-cms/pluck/issues/58
Xss & file upload vuln. Please advise. · Issue #58 · pluck-cms/pluck · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://github.com/pluck-cms/pluck/commit/8f6541e60c9435e82e9c531a20cb3c218d36976e
bugfix for XSS and backdoor file upload found by s7acktrac3 issue #58 · pluck-cms/pluck@8f6541e · GitHubPatch;Third Party Advisory
Jump to