PT-2019-19334 · Pluck · Pluck

China-Eugene

·

Published

2019-02-23

·

Updated

2019-02-25

·

CVE-2019-9049

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Pluck version 4.7.9-dev1
Description A CSRF issue allows deletion of modules via the "/admin.php?action=module delete&var1=" API endpoint, where var1 is a vulnerable parameter. This can be exploited to delete modules.
Recommendations For Pluck version 4.7.9-dev1, as a temporary workaround, consider restricting access to the "/admin.php?action=module delete&var1=" API endpoint until a patch is available. Avoid using the var1 parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2019-9049

Affected Products

Pluck