Overview
PivotX 2.3.8, and possibly earlier versions, contains cross-site scripting (CWE-79) and unsafe file upload (CWE-434) vulnerabilities.
Description
PivotX 2.3.8, and possibly earlier versions, contains cross-site scripting (CWE-79) and unsafe file upload (CWE-434) vulnerabilities. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-0341 |
Impact
A remote authenticated attacker may be able to inject arbitrary script into a web page or upload a malicious file. |
Solution
Apply an Update |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| PivotX | Affected | - | 11 Apr 2014 |
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 8.5 | AV:N/AC:L/Au:S/C:C/I:C/A:-- |
| Temporal | 8.5 | E:ND/RL:ND/RC:ND |
| Environmental | 6.4 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- http://pivotx.net/page/security
- http://blog.pivotx.net/archive/2014/03/03/pivotx-239-released
- https://cwe.mitre.org/data/definitions/434.html
- https://cwe.mitre.org/data/definitions/79.html
Credit
Thanks to Diego García for reporting these vulnerabilities.
This document was written by Jared Allar.
Other Information
- CVE IDs: CVE-2014-0341 CVE-2014-0342
- Date Public: 05 3월 2014
- Date First Published: 11 4월 2014
- Date Last Updated: 11 4월 2014
- Document Revision: 4
'취약점 정보1' 카테고리의 다른 글
| mozilla.dev.security.policy thread about StartSSL asking for $25 to revoke compromised certificates (0) | 2014.04.13 |
|---|---|
| 2014-04-13 취약점 정리 (0) | 2014.04.13 |
| Amtelco miSecureMessages app lacks authentication (0) | 2014.04.13 |
| ZyXEL Wireless N300 NetUSB Router NBG-419N devices contain multiple vulnerabilities (0) | 2014.04.13 |
| Fortinet FortiADC contains a cross-site scripting vulnerability (0) | 2014.04.13 |