cbcvebase.

Plume-Cms Plume Cms vulnerabilities

10 known vulnerabilities affecting plume-cms/plume_cms.

Total CVEs
10
CISA KEV
0
Public exploits
7
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM5LOW1

Vulnerabilities

Page 1 of 1
CVE-2006-7021P3HIGHCVSS 7.5PoCv1.1.32007-02-15
CVE-2006-7021 [HIGH] CWE-94 CVE-2006-7021: PHP remote file inclusion vulnerability in manager/tools/link/dbinstall.php in Plume CMS 1.1.3 allow PHP remote file inclusion vulnerability in manager/tools/link/dbinstall.php in Plume CMS 1.1.3 allows remote attackers to execute arbitrary PHP code via a URL in the _PX_config[manager_path] parameter.
nvd
CVE-2006-2645P3HIGHCVSS 7.5PoCv1.0.32006-05-30
CVE-2006-2645 [HIGH] CVE-2006-2645: PHP remote file inclusion vulnerability in manager/frontinc/prepend.php for Plume 1.0.3 allows remot PHP remote file inclusion vulnerability in manager/frontinc/prepend.php for Plume 1.0.3 allows remote attackers to execute arbitrary code via a URL in the _PX_config[manager_path] parameter. NOTE: this is a different executable and affected version than CVE-2006-0725.
nvd
CVE-2006-3562P3HIGHCVSS 7.5PoCv1.0.42006-07-13
CVE-2006-3562 [HIGH] CVE-2006-3562: PHP remote file inclusion vulnerabilities in plume cms 1.0.4 allow remote attackers to execute arbit PHP remote file inclusion vulnerabilities in plume cms 1.0.4 allow remote attackers to execute arbitrary PHP code via a URL in the _PX_config[manager_path] parameter to (1) index.php, (2) rss.php, or (3) search.php, a different set of vectors and versions than CVE-2006-2645 and CVE-2006-0725.
nvd
CVE-2009-3418P3MEDIUMCVSS 6.5PoCv1.2.32009-09-25
CVE-2009-3418 [MEDIUM] CWE-89 CVE-2009-3418: Multiple SQL injection vulnerabilities in Plume CMS 1.2.3 allow (1) remote authenticated users to ex Multiple SQL injection vulnerabilities in Plume CMS 1.2.3 allow (1) remote authenticated users to execute arbitrary SQL commands via the m parameter to manager/index.php and (2) remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit_link action to manager/tools.php. NOTE: some of these details are obtained
nvd
CVE-2006-0725P4MEDIUMCVSS 6.8PoCv1.0.22006-02-16
CVE-2006-0725 [MEDIUM] CWE-94 CVE-2006-0725: PHP remote file inclusion vulnerability in prepend.php in Plume CMS 1.0.2, when register_globals is PHP remote file inclusion vulnerability in prepend.php in Plume CMS 1.0.2, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in the _PX_config[manager_path] parameter. NOTE: this is a different executable and affected version than CVE-2006-2645.
nvd
CVE-2012-1414P4MEDIUMCVSS 6.8PoC≤ 1.2.4v1.0.2+9 more2012-10-07
CVE-2012-1414 [MEDIUM] CWE-352 CVE-2012-1414: Cross-site request forgery (CSRF) vulnerability in manager/news.php in Plume CMS 1.2.4 and earlier a Cross-site request forgery (CSRF) vulnerability in manager/news.php in Plume CMS 1.2.4 and earlier allows remote attackers to hijack the authentication of administrators for requests that create News pages via a publish action.
nvd
CVE-2012-2156P4MEDIUMCVSS 4.3PoC≤ 1.2.4v1.0.2+9 more2012-04-11
CVE-2012-2156 [MEDIUM] CWE-79 CVE-2012-2156: Multiple cross-site scripting (XSS) vulnerabilities in Plume CMS 1.2.4 and earlier allow remote atta Multiple cross-site scripting (XSS) vulnerabilities in Plume CMS 1.2.4 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the u_email parameter (aka Authors Email field) to manager/users.php, (2) the u_realname parameter (aka Authors Name field) to manager/users.php, or (3) the c_author parameter (aka Author field) in an
nvd
CVE-2006-4533P4HIGHCVSS 7.5≤ 1.0.6v1.0.52006-09-01
CVE-2006-4533 [HIGH] CVE-2006-4533: Multiple PHP remote file inclusion vulnerabilities in Plume CMS 1.0.6 and earlier allow remote attac Multiple PHP remote file inclusion vulnerabilities in Plume CMS 1.0.6 and earlier allow remote attackers to execute arbitrary PHP code via the _PX_config[manager_path] parameter to (1) articles.php, (2) categories.php, (3) news.php, (4) prefs.php, (5) sites.php, (6) subtypes.php, (7) users.php, (8) xmedia.php, (9) frontinc/class.template.php, (10) inc/lib.text.
nvd
CVE-2008-1048P4MEDIUMCVSS 4.3v1.2.22008-02-27
CVE-2008-1048 [MEDIUM] CWE-79 CVE-2008-1048: Cross-site scripting (XSS) vulnerability in manager/xmedia.php in Plume CMS 1.2.2 allows remote atta Cross-site scripting (XSS) vulnerability in manager/xmedia.php in Plume CMS 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the dir parameter.
nvd
CVE-2011-3985P4LOWCVSS 2.6≤ 1.2.2v1.0.2+7 more2011-11-09
CVE-2011-3985 [LOW] CWE-79 CVE-2011-3985: Cross-site scripting (XSS) vulnerability in Plume before 1.2.3 allows remote attackers to inject arb Cross-site scripting (XSS) vulnerability in Plume before 1.2.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
Plume-Cms Plume Cms vulnerabilities | cvebase