MidnightBSD

Advisories for plume-cms

CVE-2006-0725 MEDIUM

PHP remote file inclusion vulnerability in prepend.php in Plume CMS 1.0.2, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in the _PX_config[manager_path] parameter. NOTE: this is a different executable and affected version than CVE-2006-2645.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
plume-cms plume_cms 1.0.2
CVE-2006-2645 HIGH

PHP remote file inclusion vulnerability in manager/frontinc/prepend.php for Plume 1.0.3 allows remote attackers to execute arbitrary code via a URL in the _PX_config[manager_path] parameter. NOTE: this is a different executable and affected version than CVE-2006-0725.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
plume-cms plume_cms 1.0.3
CVE-2006-3562 HIGH

PHP remote file inclusion vulnerabilities in plume cms 1.0.4 allow remote attackers to execute arbitrary PHP code via a URL in the _PX_config[manager_path] parameter to (1) index.php, (2) rss.php, or (3) search.php, a different set of vectors and versions than CVE-2006-2645 and CVE-2006-0725.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
plume-cms plume_cms 1.0.4
CVE-2009-3418 MEDIUM

Multiple SQL injection vulnerabilities in Plume CMS 1.2.3 allow (1) remote authenticated users to execute arbitrary SQL commands via the m parameter to manager/index.php and (2) remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit_link action to manager/tools.php. NOTE: some of these details are obtained from third party information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
plume-cms plume_cms 1.2.3
CVE-2011-3985 LOW

Cross-site scripting (XSS) vulnerability in Plume before 1.2.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
plume-cms plume_cms 1.0.2
plume-cms plume_cms 1.0.5
plume-cms plume_cms *
plume-cms plume_cms 1.2.1
plume-cms plume_cms 1.0.3
plume-cms plume_cms 1.1.3
plume-cms plume_cms 1.0.4
plume-cms plume_cms 1.2
plume-cms plume_cms 1.0.6
CVE-2012-2156 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Plume CMS 1.2.4 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the u_email parameter (aka Authors Email field) to manager/users.php, (2) the u_realname parameter (aka Authors Name field) to manager/users.php, or (3) the c_author parameter (aka Author field) in an ADD A COMMENT section.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
plume-cms plume_cms 1.0.2
plume-cms plume_cms 1.0.5
plume-cms plume_cms *
plume-cms plume_cms 1.2.1
plume-cms plume_cms 1.2.2
plume-cms plume_cms 1.0.3
plume-cms plume_cms 1.1.3
plume-cms plume_cms 1.2.3
plume-cms plume_cms 1.0.4
plume-cms plume_cms 1.2
plume-cms plume_cms 1.0.6