VYPR

Pivotx

by Pivotx

CVEs (16)

  • CVE-2017-8402HigMay 31, 2017
    risk 0.57cvss 8.8epss 0.01

    PivotX 2.3.11 allows remote authenticated users to execute arbitrary PHP code via vectors involving an upload of a .htaccess file.

  • CVE-2017-7570HigApr 7, 2017
    risk 0.57cvss 8.8epss 0.01

    PivotX 2.3.11 allows remote authenticated Advanced users to execute arbitrary PHP code by performing an upload with a safe file extension (such as .jpg) and then invoking the duplicate function to change to the .php extension.

  • CVE-2017-14958HigOct 2, 2017
    risk 0.47cvss 7.2epss 0.01

    lib.php in PivotX 2.3.11 does not properly block uploads of dangerous file types by admin users, which allows remote PHP code execution via an upload of a .php file.

  • CVE-2017-9332MedJun 6, 2017
    risk 0.40cvss 6.1epss 0.01

    The smarty_self function in modules/module_smarty.php in PivotX 2.3.11 mishandles the URI, allowing XSS via vectors involving quotes in the self Smarty tag.

  • CVE-2025-52367Sep 22, 2025
    risk 0.09cvss epss 0.04

    Cross Site Scripting vulnerability in PivotX CMS v.3.0.0 RC 3 allows a remote attacker to execute arbitrary code via the subtitle field.

  • CVE-2012-2274Aug 13, 2012
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in pivotx/ajaxhelper.php in PivotX 2.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the file parameter.

  • CVE-2011-0773Feb 4, 2011
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in pivotx/modules/module_image.php in PivotX before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the image parameter.

  • CVE-2011-0772Feb 4, 2011
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in PivotX 2.2.0, and possibly other versions before 2.2.2, allow remote attackers to inject arbitrary web script or HTML via the (1) color parameter to includes/blogroll.php or (2) src parameter to includes/timwrapper.php.

  • CVE-2015-5458Jul 8, 2015
    risk 0.00cvss epss 0.02

    Session fixation vulnerability in fileupload.php in PivotX before 2.3.11 allows remote attackers to hijack web sessions via the sess parameter.

  • CVE-2015-5457Jul 8, 2015
    risk 0.00cvss epss 0.05

    PivotX before 2.3.11 does not validate the new file extension when renaming a file with multiple extensions, which allows remote attackers to execute arbitrary code by uploading a crafted file, as demonstrated by a file named foo.php.php.

  • CVE-2015-5456Jul 8, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the form method in modules/formclass.php in PivotX before 2.3.11 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO, related to the "PHP_SELF" variable and form actions.

  • CVE-2014-0342Apr 15, 2014
    risk 0.00cvss epss 0.02

    Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

  • CVE-2014-0341Apr 15, 2014
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4)…

  • CVE-2011-1035Feb 19, 2011
    risk 0.00cvss epss 0.04

    The password reset in PivotX before 2.2.4 allows remote attackers to modify the passwords of arbitrary users via unspecified vectors.

  • CVE-2011-0775Feb 4, 2011
    risk 0.00cvss epss 0.01

    pivotx/modules/module_image.php in PivotX 2.2.2 allows remote attackers to obtain sensitive information via a non-existent file in the image parameter, which reveals the installation path in an error message. NOTE: the provenance of this information is unknown; the details are…

  • CVE-2011-0774Feb 4, 2011
    risk 0.00cvss epss 0.01

    PivotX before 2.2.2 allows remote attackers to obtain sensitive information via a direct request to (1) includes/ping.php and (2) includes/spamping.php, which reveals the installation path in an error message.