Vulnerability Description
Directory traversal vulnerability in data/inc/theme.php in Pluck 4.3, when register_globals is enabled, allows remote attackers to read arbitrary local files via a .. (dot dot) in the file parameter. NOTE: CVE and a reliable third party dispute this vulnerability because the code uses a fixed argument when invoking fputs, which cannot be used to read files
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pluck | Pluck | 4.3 |
References
- http://outlaw.aria-security.info/?p=12
- http://securityreason.com/securityalert/2973
- http://www.attrition.org/pipermail/vim/2007-August/001752.html
- http://www.securityfocus.com/archive/1/475323/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35757
- http://outlaw.aria-security.info/?p=12
- http://securityreason.com/securityalert/2973
- http://www.attrition.org/pipermail/vim/2007-August/001752.html
- http://www.securityfocus.com/archive/1/475323/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35757
FAQ
What is CVE-2007-4180?
CVE-2007-4180 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Directory traversal vulnerability in data/inc/theme.php in Pluck 4.3, when register_globals is enabled, allows remote attackers to read arbitrary local files via a .. (dot dot) in the file parameter. ...
How severe is CVE-2007-4180?
CVE-2007-4180 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-4180?
Check the references section above for vendor advisories and patch information. Affected products include: Pluck Pluck.