Software Engineering Institute

PivotX 2.3.8, and possibly earlier versions, contains cross-site scripting (CWE-79) and unsafe file upload (CWE-434) vulnerabilities.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-0341
PivotX overview screens were susceptible to cross-site scripting attacks. The following code commits provide the details.
http://sourceforge.net/p/pivot-weblog/code/4349/
http://sourceforge.net/p/pivot-weblog/code/4345/

CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2014-0342
The file upload check did not include the file extension. The following code commit provides the details.
http://sourceforge.net/p/pivot-weblog/code/4347/

The CVSS score below is for CVE-2014-0342.

A remote authenticated attacker may be able to inject arbitrary script into a web page or upload a malicious file.

Apply an Update

PivotX 2.3.9 has been released to address these vulnerabilities.