CVE-2014-0341

Name of the Vulnerable Software and Affected Versions PivotX versions prior to 2.3.9

Description The issue allows remote authenticated users to inject arbitrary web script or HTML via specific fields, including the title field to certain template files, an event field, email field, or nickname field. This can be achieved by accessing specific endpoints, such as objects.php or pages.php, and manipulating the title, event, email, or nickname fields.

Recommendations For PivotX versions prior to 2.3.9, update to version 2.3.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the templates internal/pages.tpl, templates internal/home.tpl, templates internal/entries.tpl, and templates internal/users.tpl templates, as well as limiting input to the title, event, email, and nickname fields in objects.php and pages.php.