Arbitrary Code Execution in PivotX before 2.3.11

Arbitrary Code Execution in PivotX before 2.3.11

CVE-2015-5457 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

PivotX before 2.3.11 does not validate the new file extension when renaming a file with multiple extensions, which allows remote attackers to execute arbitrary code by uploading a crafted file, as demonstrated by a file named foo.php.php.

Learn more about our Web Application Penetration Testing UK.