#VU8654 Unrestricted file upload in PivotX - CVE-2017-14958
Published: October 2, 2017
Vulnerability identifier: #VU8654
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Clear
CVE-ID: CVE-2017-14958
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PivotX
PivotX
Software vendor:
pivotlog.net
pivotlog.net
Description
The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.
The vulnerability exists due to insufficient validation of the uploaded files in "lib.php" script. A remote authenticated administrator can upload and execute arbitrary .php script.
Successful exploitation may allow an attacker to compromise vulnerable website.
The vulnerability exists due to insufficient validation of the uploaded files in "lib.php" script. A remote authenticated administrator can upload and execute arbitrary .php script.
Successful exploitation may allow an attacker to compromise vulnerable website.
Remediation
Install update from vendor's repository.
https://sourceforge.net/p/pivot-weblog/code/4490/
https://sourceforge.net/p/pivot-weblog/code/4490/