CVE-2014-8706 Information

Description

Pluck CMS 4.7.2 allows remote attackers to obtain sensitive information by (1) changing \PHPSESSID\ to an array; (2) adding non-alphanumeric chars to \PHPSESSID; (3) changing the image parameter to an array; or (4) changing the image parameter to a string which reveals the installation path in an error message.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

http://rossmarks.uk/portfolio.php http://rossmarks.uk/whitepapers/pluck_cms_4.7.txt

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3