PivotX 2.3.11: Reflected XSS
Date: 2016-03-15 13:50:581. Introduction
| Affected Product: | PivotX 2.3.11 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Website: | http://pivotx.net/ |
| Vulnerability Type: | Reflected XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 01/20/2016 |
| Disclosed to public: | 03/15/2016 |
| Release mode: | Full Disclosure |
| CVE: | n/a |
| Credits | Tim Coen of curesec GmbH |
2. Overview
PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is vulnerable to reflected XSS, allowing for the injection of JavaScript keyloggers or the bypassing of CSRF protection. In the case of PivotX, this may lead to code execution via other vulnerabilities in the same version in the admin area.
3. Details
Description
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The additionalpath parameter of the file explorer is vulnerable to reflected XSS.
Proof of Concept
http://localhost/pivotx_latest/pivotx/index.php?page=homeexplore&additionalpath=pivot<script>alert(1)</script>
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
| 01/20/2016 | Informed Vendor about Issue |
| 01/29/2016 | Vendor replies, PivotX is not maintained anymore |
| 03/15/2016 | Disclosed to public |