A vulnerability has been discovered in Pivot, which can be
exploited by malicious people to delete certain files.
Input passed to the "refkey" parameter in
extensions/bbclone_tools/count.php is not properly sanitised
before being used to delete files. This can be exploited to
delete files with the permissions of the web server via directory
traversal sequences passed within the "refkey" parameter.
NOTE: Users with the "Advanced" user level are able to include and
execute uploaded PHP code via the "pivot_path" parameter in
extensions/bbclone_tools/getkey.php when
extensions/bbclone_tools/hr_conf.php can be deleted.