{"vuid":"VU#901156","idnumber":"901156","name":"PivotX 2.3.8 contains multiple vulnerabilities","keywords":["pivotx","xss","cwe-79","cwe-434","file","upload"],"overview":"PivotX 2.3.8, and possibly earlier versions, contains cross-site scripting (CWE-79) and unsafe file upload (CWE-434) vulnerabilities.","clean_desc":"PivotX 2.3.8, and possibly earlier versions, contains cross-site scripting (CWE-79) and unsafe file upload (CWE-434) vulnerabilities. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-0341\nPivotX overview screens were susceptible to cross-site scripting attacks. The following code commits provide the details. http://sourceforge.net/p/pivot-weblog/code/4349/\nhttp://sourceforge.net/p/pivot-weblog/code/4345/ CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2014-0342\nThe file upload check did not include the file extension. The following code commit provides the details. http://sourceforge.net/p/pivot-weblog/code/4347/ The CVSS score below is for CVE-2014-0342.","impact":"A remote authenticated attacker may be able to inject arbitrary script into a web page or upload a malicious file.","resolution":"Apply an Update PivotX 2.3.9 has been released to address these vulnerabilities.","workarounds":"","sysaffected":"","thanks":"Thanks to Diego GarcĂ­a for reporting these vulnerabilities.","author":"This document was written by Jared Allar.","public":["http://pivotx.net/page/security","http://blog.pivotx.net/archive/2014/03/03/pivotx-239-released","https://cwe.mitre.org/data/definitions/434.html","https://cwe.mitre.org/data/definitions/79.html"],"cveids":["CVE-2014-0341","CVE-2014-0342"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-03-05T19:01:49Z","publicdate":"2014-03-05T00:00:00Z","datefirstpublished":"2014-04-11T23:10:05Z","dateupdated":"2014-07-24T21:10:47Z","revision":7,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6.5","cvss_basevector":"AV:N/AC:L/Au:S/C:P/I:P/A:P","cvss_temporalscore":"5.1","cvss_environmentalscore":"1.27683519756581","cvss_environmentalvector":"CDP:ND/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}