CVE-2015-5457
PivotX < 2.3.11 - Remote Code Execution via File Extension Validation Bypass
Title source: llmDescription
PivotX before 2.3.11 does not validate the new file extension when renaming a file with multiple extensions, which allows remote attackers to execute arbitrary code by uploading a crafted file, as demonstrated by a file named foo.php.php.
References (6)
Core 6
Core References
Exploit x_refsource_misc
http://software-talk.org/blog/2015/06/session-fixation-xss-code-execution-vulnerability-pivotx/
Exploit x_refsource_misc
http://packetstormsecurity.com/files/132474/PivotX-2.3.10-Session-Fixation-XSS-Code-Execution.html
Various Sources x_refsource_confirm
http://blog.pivotx.net/archive/2015/06/21/pivotx-2311-released
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/75577
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/535860/100/0/threaded
Scores
EPSS
0.0468
EPSS Percentile
90.7%
Details
CWE
CWE-20
Status
published
Products (1)
pivotx/pivotx
< 2.3.10
Published
Jul 08, 2015
Tracked Since
Feb 18, 2026