[INC-2024-0005] CVE coordination on Pluck CMS

[INCIBE-CNA]

Dear PluckCMS team,

We are writing to you from INCIBE (https://www.incibe.es), the National Institute of Cybersecurity of Spain, about a vulnerability reported by an external researcher in one of your products.

We participate in the CVE Program as a CNA Root (https://www.cve.org/ProgramOrganization/Structure) , which enables us to assign and publish CVE codes.

Note that this report is not about an incident, nobody is exploiting the vulnerability. Simply, from INCIBE we take care of managing the CVE report, documentation and publication, in coordination with the affected parties.

As established in our disclosure policy (https://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-assignment-publication), we are going to make this vulnerability public by the 9th of April.

If you want to provide an email, we will send you the vulnerability draft.

Thank you very much and kind regards,

[INCIBE-CNA]

Dear PluckCMS team,

Please find attached the vulnerability draft.
Borrador_aviso_CVE.docx

Kind regards,

[BSteelooper]

Per GitHub Policy and recommendation we have a security.md file which contains our disclose emailadres
https://github.com/pluck-cms/pluck/blob/master/SECURITY.md

The Draft is not specific enough for us to act on, it states a module, but not which module. Modules are also made by other developers, and we cannot fix those.
if a module is created to achieve this, this is not a pluck issue. Please provide more information via email so we can look in to this.

Kind Regards,