Vulnerabilities > CVE-2014-0342 - Arbitrary File Upload vulnerability in PivotX 'fileupload.php'

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

pivotx

NVD

Published: 2014-04-15

Updated: 2014-04-15

Summary

Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors. Per: http://cwe.mitre.org/data/definitions/434.html "CWE-434: Unrestricted Upload of File with Dangerous Type"

Vulnerable Configurations

Part	Description	Count
Application	Pivotx Pivotx Pivotx 2.1.0 Pivotx Pivotx 2.1.1 Pivotx Pivotx 2.1.2 Pivotx Pivotx 2.2.0 Pivotx Pivotx 2.2.1 Pivotx Pivotx 2.2.2 Pivotx Pivotx 2.2.3 Pivotx Pivotx 2.2.5 Pivotx Pivotx 2.3.0 Pivotx Pivotx 2.3.2 Pivotx Pivotx 2.3.3 Pivotx Pivotx 2.3.5 Pivotx Pivotx 2.3.6 Pivotx Pivotx 2.3.7 Pivotx Pivotx 2.3.8	18

Seebug

bulletinFamily	exploit
description	Bugtraq ID:66797 CVE ID:CVE-2014-0342 PivotX是一款功能强大的开源博客CMS系统。 PivotX上传检查不正确处理文件名扩展，允许攻击者利用漏洞提交包含危险扩展类型的文件，并以WEB权限执行。 0 PivotX 2.3.8 PivotX 2.3.9版本已修复该漏洞，建议用户下载使用： http://pivotx.net/
id	SSV:62196
last seen	2017-11-19
modified	2014-04-16
published	2014-04-16
reporter	Root
title	PivotX 'fileupload.php'任意文件上传漏洞

Summary

Vulnerable Configurations

Seebug

References