CVE-2008-3574

Name of the Vulnerable Software and Affected Versions Pluck version 4.5.2

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can occur through various parameters in different PHP files, including lang footer in data/inc/footer.php, multiple parameters in data/inc/header.php and data/inc/header2.php, and lang theme6 in data/inc/themeinstall.php. The affected parameters are: lang footer, pluck version, lang install22, titelkop, lang kop1, lang kop2, lang modules, lang kop4, lang kop15, lang kop5, and lang theme6.

Recommendations For Pluck version 4.5.2, consider disabling the register globals setting to mitigate the risk of exploitation. As a temporary workaround, restrict access to the vulnerable parameters, such as lang footer, pluck version, lang install22, titelkop, lang kop1, lang kop2, lang modules, lang kop4, lang kop15, lang kop5, and lang theme6, in the affected PHP files until a patch is available. Avoid using these parameters in the "data/inc/footer.php", "data/inc/header.php", "data/inc/header2.php", and "data/inc/themeinstall.php" files until the issue is resolved.