CVE-2024-9405

Oct. 1, 2024, 12:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Pluck CMS

  • 4.7.18

Source

cve-coordination@incibe.es

Tags

CVE-2024-9405 details

Published : Oct. 1, 2024, 12:15 p.m.
Last Modified : Oct. 1, 2024, 12:15 p.m.

Description

An incorrect limitation of a path to a restricted directory (path traversal) has been detected in Pluck CMS, affecting version 4.7.18. An unauthenticated attacker could extract sensitive information from the server via the absolute path of a file located in the same directory or subdirectory as the module, but not from recursive directories.

CVSS Score

1 2 3 4 5.3 6 7 8 9 10

Weakness

Weakness Name Description
CWE-23 Relative Path Traversal The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

Base Score

5.3

Exploitability Score

3.9

Impact Score

1.4

Base Severity

MEDIUM

This website uses the NVD API, but is not approved or certified by it.