China-Eugene

Name of the Vulnerable Software and Affected Versions: Pluck CMS version 4.7.9 Description: The issue allows remote attackers to execute arbitrary code and delete a specific article via the component "/admin.php?action=page". This is a Cross Site Request Forgery (CSRF) issue. Recommendations: For Pluck CMS version 4.7.9, consider disabling access to the "/admin.php?action=page" component until a patch is available. Restrict access to the `action` parameter in the `/admin.php` endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Pluck CMS version 4.7.9 Description: The issue allows remote attackers to execute arbitrary code and delete specific images via the component "/admin.php?action=images". This is a Cross Site Request Forgery (CSRF) issue. Recommendations: For Pluck CMS version 4.7.9, as a temporary workaround, consider restricting access to the "/admin.php?action=images" component until a patch is available. Avoid using this component in scenarios where CSRF attacks are possible. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MiniCMS version 1.10 **Description** The issue allows for the deletion of articles via a CSRF vulnerability in the "mc-admin/post.php" endpoint, specifically when the "state" parameter is set to "publish" and the "delete" parameter is utilized. **Recommendations** For MiniCMS version 1.10, consider implementing CSRF protection measures to prevent unauthorized deletion of articles. As a temporary workaround, restrict access to the "mc-admin/post.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.7.9-dev1 **Description** A CSRF issue allows deletion of articles via the "/admin.php?action=deletepage&var1=" URI. **Recommendations** For Pluck version 4.7.9-dev1, as a temporary workaround, consider restricting access to the "/admin.php?action=deletepage&var1=" URI to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.7.9-dev1 **Description** A CSRF issue allows deletion of a theme via the "/admin.php?action=theme delete&var1=" API endpoint. **Recommendations** For Pluck version 4.7.9-dev1, as a temporary workaround, consider restricting access to the "/admin.php?action=theme delete&var1=" API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.7.9-dev1 **Description** An issue was discovered that allows for a CSRF vulnerability, enabling the deletion of pictures via the "/admin.php?action=deleteimage&var1=" URI. **Recommendations** For Pluck version 4.7.9-dev1, consider disabling access to the "/admin.php?action=deleteimage&var1=" URI as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.7.9-dev1 **Description** A CSRF issue allows deletion of modules via the "/admin.php?action=module delete&var1=" API endpoint, where `var1` is a vulnerable parameter. This can be exploited to delete modules. **Recommendations** For Pluck version 4.7.9-dev1, as a temporary workaround, consider restricting access to the "/admin.php?action=module delete&var1=" API endpoint until a patch is available. Avoid using the `var1` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.7.9-dev1 **Description** An issue allows administrators to execute arbitrary code by using the action `installmodule` to upload a ZIP archive, which is then extracted and executed. **Recommendations** For Pluck version 4.7.9-dev1, avoid using the `action=installmodule` parameter to upload ZIP archives until a fix is available. As a temporary workaround, consider restricting access to the module installation feature to minimize the risk of exploitation.