Unrestricted File Upload Vulnerability in PluckCMS by Pluck
CVE-2019-1010062

9.8CRITICAL

Key Information:

Vendor: Pluck-cms
Status: Pluckcms
Vendor: CVE Published:; 16 July 2019

What is CVE-2019-1010062?

PluckCMS versions 4.7.4 and earlier are vulnerable to an unrestricted file upload issue, specifically identified as CWE-434. This vulnerability allows attackers to upload malicious files, potentially leading to a web shell access on affected servers. The vulnerability arises when an attacker exploits the MIME type in HTTP requests, enabling the upload of PHP files through the data/inc/images.php component. A fixed version is available after commit 09f0ab871bf633973cfd9fc4fe59d4a912397cf8.

Affected Version(s)

PluckCMS ≤ 4.7.4 [fixed: after commit 09f0ab871bf633973cfd9fc4fe59d4a912397cf8]

References

https://github.com/pluck-cms/pluck/commit/09f0ab871bf6339...

x_refsource_MISC

https://github.com/pluck-cms/pluck/issues/44

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 16, 2019
Vulnerability Reserved
Mar 20, 2019

Pluck-cms

What is CVE-2019-1010062?

Affected Version(s)

References

CVSS V3.1

Timeline