Security

Introduction

We take seriously any security issues found in our code. Below, you can see past security issues which were discovered and fixed (in the current stable release).

Should you find a security issue in the PivotX programming code, please contact the PivotX security team in advance before publishing it. This way we can prepare a fix and release the fix together with your announcement. You will be also given credit in our security announcement.

Please note that any support requests on this address will not be answered; you should use the support forum.

Issue list

  • CVE 2014-XXXX - cross-site scripting (XSS) vulnerability in the file explorer. Fixed in PivotX 2.3.10. Reported by Antoine Laureau (working at ITekia).
  • Cross-site scripting (XSS) vulnerability in the request variable "px_message". Fixed in PivotX 2.3.10. Reported by Waledac Oxana.
  • CVE-2014-0342 - remote file upload vulnerability. Mitigated by the fact that an attacker must have a PivotX account. Fixed in PivotX 2.3.9. Reported by Diego García (Japson).
  • CVE-2014-0341 - various cross-site scripting (XSS) vulnerabilities in the admin pages. Mitigated by the fact that an attacker must have a PivotX account. Fixed in PivotX 2.3.9. Reported by Diego García (Japson).
  • CVE-2014-0341 - cross-site scripting (XSS) vulnerability in the nickname (and possibly the email) field. Mitigated by the fact that an attacker must have a PivotX account. Fixed in PivotX 2.3.9.
  • CVE-2012-2274 - cross-site scripting (XSS) vulnerability in pivotx/ajaxhelper.php allowed remote attackers to inject arbitrary web script or HTML via the file parameter. Fixed in PivotX 2.3.3.
  • SA45416 - TimThumb domain name security bypass and insecure cache handling.
    PivotX before 2.3.0 includes a vulnerable version of TimThumb.
  • CVE-2011-1035 - password reset vulnerability. Fixed in PivotX 2.3.2.
  • CVE-2011-0775 - path disclosure weakness. Fixed in PivotX 2.3.2.
  • CVE-2011-0774 - path disclosure weakness. Fixed in PivotX 2.3.2.
  • CVE-2011-0773 - cross-site scripting (XSS) vulnerability. Fixed in PivotX 2.3.2.
  • CVE-2011-0772 - multiple cross-site scripting (XSS) vulnerabilities. Fixed in PivotX 2.3.2.