China-Eugene

**Nome do software vulnerável e versões afetadas: Pluck CMS versão 4.7.9 Descrição: A vulnerabilidade permite que invasores remotos executem código arbitrário e excluam um artigo específico por meio do componente “/admin.php?action=page”. Trata-se de uma vulnerabilidade do tipo Cross Site Request Forgery (CSRF). Recomendações: Para o Pluck CMS versão 4.7.9, considere desativar o acesso ao componente “/admin.php?action=page” até que uma correção esteja disponível. Restrinja o acesso ao parâmetro `action` no endpoint `/admin.php` para minimizar o risco de exploração. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Nome do software vulnerável e versões afetadas: Pluck CMS versão 4.7.9 Descrição: A vulnerabilidade permite que invasores remotos executem código arbitrário e excluam imagens específicas por meio do componente “/admin.php?action=images”. Trata-se de uma vulnerabilidade do tipo Cross Site Request Forgery (CSRF). Recomendações: Para o Pluck CMS versão 4.7.9, como solução temporária, considere restringir o acesso ao componente “/admin.php?action=images” até que uma correção esteja disponível. Evite usar este componente em cenários onde ataques CSRF sejam possíveis. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** MiniCMS version 1.10 **Description** The issue allows for the deletion of articles via a CSRF vulnerability in the "mc-admin/post.php" endpoint, specifically when the "state" parameter is set to "publish" and the "delete" parameter is utilized. **Recommendations** For MiniCMS version 1.10, consider implementing CSRF protection measures to prevent unauthorized deletion of articles. As a temporary workaround, restrict access to the "mc-admin/post.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.7.9-dev1 **Description** A CSRF issue allows deletion of articles via the "/admin.php?action=deletepage&var1=" URI. **Recommendations** For Pluck version 4.7.9-dev1, as a temporary workaround, consider restricting access to the "/admin.php?action=deletepage&var1=" URI to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.7.9-dev1 **Description** A CSRF issue allows deletion of a theme via the "/admin.php?action=theme delete&var1=" API endpoint. **Recommendations** For Pluck version 4.7.9-dev1, as a temporary workaround, consider restricting access to the "/admin.php?action=theme delete&var1=" API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.7.9-dev1 **Description** An issue was discovered that allows for a CSRF vulnerability, enabling the deletion of pictures via the "/admin.php?action=deleteimage&var1=" URI. **Recommendations** For Pluck version 4.7.9-dev1, consider disabling access to the "/admin.php?action=deleteimage&var1=" URI as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.7.9-dev1 **Description** A CSRF issue allows deletion of modules via the "/admin.php?action=module delete&var1=" API endpoint, where `var1` is a vulnerable parameter. This can be exploited to delete modules. **Recommendations** For Pluck version 4.7.9-dev1, as a temporary workaround, consider restricting access to the "/admin.php?action=module delete&var1=" API endpoint until a patch is available. Avoid using the `var1` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.7.9-dev1 **Description** An issue allows administrators to execute arbitrary code by using the action `installmodule` to upload a ZIP archive, which is then extracted and executed. **Recommendations** For Pluck version 4.7.9-dev1, avoid using the `action=installmodule` parameter to upload ZIP archives until a fix is available. As a temporary workaround, consider restricting access to the module installation feature to minimize the risk of exploitation.