Closed naiagoesawoo closed 3 years ago
Could you perform a retest with the latest dev version?
Hello,
I confirm that the reported missing SSL Certificate Validation issue has been fixed. :)
你好
我确认报告的缺少SSL证书验证问题已修复。:)
Boss, how did you apply for the cve number?
Issue Summary Pluck's update system deliberately skips SSL certificate validation.
Detailed Description Within update_applet.php is the following code:
This ensures peer SSL certificates are never valdiated.
Impact In theory, this vulnerability can make the Pluck's update system susceptible to Man-in-the-middle attacks.