PT-2006-1777 · Plume · Plume Cms
Published
2006-02-16
·
Updated
2017-07-20
·
CVE-2006-0725
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Plume CMS version 1.0.2
Description
The issue allows remote attackers to include arbitrary files via a URL in the
PX config[manager path] parameter when register globals is enabled.Recommendations
For Plume CMS version 1.0.2, consider disabling the
register globals setting to prevent exploitation. Additionally, restrict access to the prepend.php file to minimize the risk of including arbitrary files. Avoid using the PX config[manager path] parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Plume Cms