CVE-2020-29607
CVE-2020-29607
Vexday Risk Score
35Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Popular PoC on GitHub (6 stars) — exploitation code widely available.
CVSS —EPSS 33.4%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
16 Dec 2020Published on NVD
26 May 2021Public PoC
Weaponization speed
160 daysto first PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution.
Affected products
n/a · n/apublic PoCs found — 7
githubgithub.com/abbarhissarh/CVE-2020-29607★ 6githubgithub.com/estebanzarate/CVE-2020-29607-Pluck-CMS-4.7.13-Authenticated-File-Upload-RCE-PoC★ 1githubgithub.com/0xN7y/CVE-2020-29607★ 1githubgithub.com/Alienfader/CVE-2020-29607★ 0githubgithub.com/CaelumIsMe/CVE-2020-29607-POC★ 0cve_referencepacketstormsecurity.com/files/162785/Pluck-CMS-4.7.13-Remote-Shell-Upload.htmlunverifiedexploitdbwww.exploit-db.com/exploits/49909unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.