Naiagoesawoo

**Name of the Vulnerable Software and Affected Versions** Pluck-CMS Pluck version 4.7.15 **Description** The issue allows an attacker to sustain unauthorized access to the platform due to a session fixation vulnerability in the login.php file. This is because prior sessions are not invalidated after a password change, enabling access to be sustained even after an administrator resets their password. **Recommendations** For Pluck-CMS Pluck version 4.7.15, consider disabling the login functionality in login.php until a patch is available to mitigate the risk of session fixation. Restrict access to the login.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pluck-CMS Pluck version 4.7.15 **Description** The issue allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arbitrary code execution. **Recommendations** For Pluck-CMS Pluck version 4.7.15, consider restricting the upload of zip files or validating the contents of uploaded zip files to prevent directory traversal and arbitrary code execution. As a temporary workaround, consider disabling the zip file upload feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.7.15 **Description** A Missing SSL Certificate Validation issue exists in the update applet.php file, which could lead to man-in-the-middle attacks. **Recommendations** For Pluck version 4.7.15, consider disabling the update applet.php file until a patch is available to prevent potential man-in-the-middle attacks. Restrict access to this file to minimize the risk of exploitation.