PivotX 2.3.8, and possibly earlier versions, contains cross-site scripting (CWE-79) and unsafe file upload (CWE-434) vulnerabilities.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-0341
A remote authenticated attacker may be able to inject arbitrary script into a web page or upload a malicious file.
Apply an Update
Thanks to Diego García for reporting these vulnerabilities.