PivotX 2.3.11 Cross Site Scripting
Posted on 18 March 2016
Security Advisory - Curesec Research Team 1. Introduction Affected Product: PivotX 2.3.11 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://pivotx.net/ Vulnerability Type: Reflected XSS Remote Exploitable: Yes Reported to vendor: 01/20/2016 Disclosed to public: 03/15/2016 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is vulnerable to reflected XSS, allowing for the injection of JavaScript keyloggers or the bypassing of CSRF protection. In the case of PivotX, this may lead to code execution via other vulnerabilities in the same version in the admin area. 3. Details Description CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The additionalpath parameter of the file explorer is vulnerable to reflected XSS. Proof of Concept http://localhost/pivotx_latest/pivotx/index.php?page=homeexplore&additionalpath =pivot<script>alert(1)</script> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 01/20/2016 Informed Vendor about Issue 01/29/2016 Vendor replies, PivotX is not maintained anymore 03/15/2016 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/PivotX-2311-Reflected-XSS-155.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany
