CVE-2009-1765

Name of the Vulnerable Software and Affected Versions: pluck version 4.6.2

Description: The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the langpref parameter to specific PHP files, including (1) "data/modules/contactform/module info.php", (2) "data/modules/blog/module info.php", and (3) "data/modules/albums/module info.php". This is possible when register globals is enabled.

Recommendations: For pluck version 4.6.2, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the vulnerable modules, specifically data/modules/contactform, data/modules/blog, and data/modules/albums, until a patch is available. Avoid using the langpref parameter in the affected API endpoints until the issue is resolved.