Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-1306

CWE-200 — Information Exposure7 documents6 sources

Severity

7.5HIGH

EPSS

65.2%

top 1.52%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Software Foundation Apache Pluto Apache Pluto

Timeline

PublishedJun 27

Latest updateOct 28

Description

The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.portals.pluto:pluto-container3.0.0 — 3.0.1

▶NVDapache/pluto3.0.0

▶CVEListV5apache_software_foundation/apache_pluto3.0.0

🔴Vulnerability Details

OSV

f2fs: fix to do sanity check on node footer for non inode dnode↗2025-10-28

▶

OSV

Exposure of Sensitive Information in Apache Pluto↗2022-05-14

▶

GHSA

Exposure of Sensitive Information in Apache Pluto↗2022-05-14

▶

CVEList

CVE-2018-1306: The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3↗2018-06-27

▶

💥Exploits & PoCs

Exploit-DB

Apache Portals Pluto 3.0.0 - Remote Code Execution↗2018-09-13

▶