PivotX CMS Stored Cross-Site Scripting Vulnerability Leading to Remote Code Execution

A stored cross-site scripting vulnerability has been identified in PivotX CMS version 3.0.0 RC 3. This vulnerability allows authenticated users to inject malicious JavaScript into blog pages via the subtitle field. The injected script is executed in the browser of anyone who views the page, including administrators. Furthermore, this vulnerability can be exploited to hijack administrator sessions by stealing authentication cookies, and it can be escalated to remote code execution by manipulating PHP file contents or permissions through the administrative interface.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user viewing the page, with potential actions including session hijacking and privilege escalation. Additionally, once administrative access is gained, the vulnerability can be leveraged for remote code execution on the server.

Reproduction

To reproduce this vulnerability, an authenticated user must inject a script into the subtitle field while creating a blog page. After saving the page, the injected script will execute when the page is viewed. To escalate this to remote code execution, the admin interface can be used to modify PHP files, such as by uploading a reverse shell payload.