PT-2017-6263 · Pluck · Pluck Cms

Published

2017-03-17

Updated

2017-03-28

CVE-2014-8706

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Pluck CMS version 4.7.2

Description The issue allows remote attackers to obtain sensitive information. This can be achieved by modifying the PHPSESSID or the image parameter in specific ways, such as changing PHPSESSID to an array, adding non-alphanumeric characters to PHPSESSID, changing the image parameter to an array, or changing the image parameter to a string. These actions can reveal the installation path in an error message.

Recommendations For Pluck CMS version 4.7.2, consider restricting access to sensitive information and error messages to minimize the risk of exploitation. As a temporary workaround, avoid using array or string values for the image parameter and ensure PHPSESSID is properly validated to prevent manipulation.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2014-8706

Affected Products

Pluck Cms

PT-2017-6263 · Pluck · Pluck Cms

CVE-2014-8706

Weakness Enumeration

Related Identifiers

Affected Products

References · 4