Pivotx

pivotx

Vendor: Pivotx • 16 CVEs

CVEs (16)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-52367 1Pivotx 1Pivotx Oct 24, 2025 Sep 22, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Cross Site Scripting vulnerability in PivotX CMS v.3.0.0 RC 3 allows a remote attacker to execute arbitrary code via the subtitle field.
CVE-2017-14958 1Pivotx 1Pivotx May 13, 2026 Oct 2, 2017 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 lib.php in PivotX 2.3.11 does not properly block uploads of dangerous file types by admin users, which allows remote PHP code execution via an upload of a .php file.
CVE-2017-9332 1Pivotx 1Pivotx May 13, 2026 Jun 6, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The smarty_self function in modules/module_smarty.php in PivotX 2.3.11 mishandles the URI, allowing XSS via vectors involving quotes in the self Smarty tag.
CVE-2017-8402 1Pivotx 1Pivotx May 13, 2026 May 31, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 PivotX 2.3.11 allows remote authenticated users to execute arbitrary PHP code via vectors involving an upload of a .htaccess file.
CVE-2017-7570 1Pivotx 1Pivotx May 13, 2026 Apr 7, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 PivotX 2.3.11 allows remote authenticated Advanced users to execute arbitrary PHP code by performing an upload with a safe file extension (such as .jpg) and then invoking the duplicate function to change to the .php exte...Show more PivotX 2.3.11 allows remote authenticated Advanced users to execute arbitrary PHP code by performing an upload with a safe file extension (such as .jpg) and then invoking the duplicate function to change to the .php extension.Show less
CVE-2015-5458 1Pivotx 1Pivotx May 6, 2026 Jul 8, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Session fixation vulnerability in fileupload.php in PivotX before 2.3.11 allows remote attackers to hijack web sessions via the sess parameter.
CVE-2015-5457 1Pivotx 1Pivotx May 6, 2026 Jul 8, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 PivotX before 2.3.11 does not validate the new file extension when renaming a file with multiple extensions, which allows remote attackers to execute arbitrary code by uploading a crafted file, as demonstrated by a file...Show more PivotX before 2.3.11 does not validate the new file extension when renaming a file with multiple extensions, which allows remote attackers to execute arbitrary code by uploading a crafted file, as demonstrated by a file named foo.php.php.Show less
CVE-2015-5456 1Pivotx 1Pivotx May 6, 2026 Jul 8, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the form method in modules/formclass.php in PivotX before 2.3.11 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO, related to the "PHP_SELF" var...Show more Cross-site scripting (XSS) vulnerability in the form method in modules/formclass.php in PivotX before 2.3.11 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO, related to the "PHP_SELF" variable and form actions.Show less
CVE-2014-0342 1Pivotx 1Pivotx May 6, 2026 Apr 15, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and th...Show more Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.Show less
CVE-2014-0341 1Pivotx 1Pivotx May 6, 2026 Apr 15, 2014 N/A· v4 N/A· v3 3.5 LOW· v2 Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_in...Show more Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to objects.php; or the (5) email or (6) nickname field to pages.php, related to templates_internal/users.tpl.Show less
CVE-2012-2274 1Pivotx 1Pivotx Apr 29, 2026 Aug 13, 2012 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in pivotx/ajaxhelper.php in PivotX 2.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the file parameter.
CVE-2011-1035 1Pivotx 1Pivotx Apr 29, 2026 Feb 19, 2011 N/A· v4 N/A· v3 7.5 HIGH· v2 The password reset in PivotX before 2.2.4 allows remote attackers to modify the passwords of arbitrary users via unspecified vectors.
CVE-2011-0775 1Pivotx 1Pivotx Apr 29, 2026 Feb 4, 2011 N/A· v4 N/A· v3 5.0 MEDIUM· v2 pivotx/modules/module_image.php in PivotX 2.2.2 allows remote attackers to obtain sensitive information via a non-existent file in the image parameter, which reveals the installation path in an error message. NOTE: the...Show more pivotx/modules/module_image.php in PivotX 2.2.2 allows remote attackers to obtain sensitive information via a non-existent file in the image parameter, which reveals the installation path in an error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.Show less
CVE-2011-0774 1Pivotx 1Pivotx Apr 29, 2026 Feb 4, 2011 N/A· v4 N/A· v3 5.0 MEDIUM· v2 PivotX before 2.2.2 allows remote attackers to obtain sensitive information via a direct request to (1) includes/ping.php and (2) includes/spamping.php, which reveals the installation path in an error message.
CVE-2011-0773 1Pivotx 1Pivotx Apr 29, 2026 Feb 4, 2011 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in pivotx/modules/module_image.php in PivotX before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the image parameter.
CVE-2011-0772 1Pivotx 1Pivotx Apr 29, 2026 Feb 4, 2011 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in PivotX 2.2.0, and possibly other versions before 2.2.2, allow remote attackers to inject arbitrary web script or HTML via the (1) color parameter to includes/blogrol...Show more Multiple cross-site scripting (XSS) vulnerabilities in PivotX 2.2.0, and possibly other versions before 2.2.2, allow remote attackers to inject arbitrary web script or HTML via the (1) color parameter to includes/blogroll.php or (2) src parameter to includes/timwrapper.php.Show less