CVE-2009-2133

Name of the Vulnerable Software and Affected Versions Pivot versions 1.40.4 through 1.40.7

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different actions in pivot/index.php and pivot/user.php. The affected parameters include the menu, sort, check array, element name, edituser, edit, blog, cat, form fields, url, and username fields in different actions.

Recommendations For Pivot version 1.40.4, update to a version that fixes the XSS vulnerabilities. For Pivot version 1.40.7, update to a version that fixes the XSS vulnerabilities. As a temporary workaround, consider restricting access to the affected parameters, such as the menu and sort parameters in the "pivot/index.php" endpoint, the edituser parameter in the "edituser action" to "pivot/index.php", and the username field in the "my weblog reg user action" to "pivot/user.php", until a patch is available.