Multiple directory traversal vulnerabilities in the iBrowser plugin library, as used in Open Journal Systems before 2.3.7, allow remote authenticated users to (1) delete or (2) rename arbitrary files via a .. (dot dot) in the param parameter to lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php.
oryginał ENAV:N/AC:L/Au:S/C:P/I:P/A:PPkp Open Journal Systems
APPPkp≤ 2.3.6
Powiązane podatności
Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with...
Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attacker...
Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.