CVE-2015-5457

PivotX < 2.3.11 - Remote Code Execution via File Extension Validation Bypass

Title source: llm
STIX 2.1

Description

PivotX before 2.3.11 does not validate the new file extension when renaming a file with multiple extensions, which allows remote attackers to execute arbitrary code by uploading a crafted file, as demonstrated by a file named foo.php.php.

Scores

EPSS 0.0468
EPSS Percentile 90.7%

Details

CWE
CWE-20
Status published
Products (1)
pivotx/pivotx < 2.3.10
Published Jul 08, 2015
Tracked Since Feb 18, 2026