Incorrect limitation of a path to a restricted directory in Pluck CMS
Pluck CMS, version 4.7.18.
INCIBE has coordinated the publication of one medium severity vulnerability affecting Pluck CMS version 4.7.18, a small and simple content management system (CMS) programmed in PHP, which has been discovered by David Utón Amaya.
This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:
- CVE-2024-9405: CVSS v3.1: 5.3 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | CWE-23
There is no reported solution at this time.
CVE-2024-9405: an incorrect limitation of a path to a restricted directory (path traversal) has been detected in Pluck CMS, affecting version 4.7.18. An unauthenticated attacker could extract sensitive information from the server via the absolute path of a file located in the same directory or subdirectory as the module, but not from recursive directories.
