CVE-2018-11331: Malicious File Upload
First published: Mon May 21 2018(Updated: )
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pluck CMS | <4.7.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2018-11331.
What is the severity of CVE-2018-11331?
The severity of CVE-2018-11331 is critical with a CVSS score of 9.8.
What is the affected software for CVE-2018-11331?
The affected software for CVE-2018-11331 is Pluck CMS versions up to and excluding 4.7.6.
How does CVE-2018-11331 allow remote PHP code execution?
CVE-2018-11331 allows remote PHP code execution because the set of disallowed filetypes for uploads is missing some applicable ones.
Are there any known fixes for CVE-2018-11331?
Yes, the issue has been fixed in Pluck CMS version 4.7.6. It is recommended to upgrade to this version to mitigate the vulnerability.
- agent/references
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/pluck-cms
- canonical/pluck cms