MEDIUM✓ PATCH🇬🇧 English

CVE-2012-1468

CVSS 6.0v2.0pub. 2012-09-06upd. 2026-04-29

Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the file in submission/original/ in the associated article directory, as demonstrated using .pHp, .asp, and other extensions.

oryginał EN
CVSS Vector
AV:N/AC:M/Au:S/C:P/I:P/A:P
  • Pkp Open Journal Systems

    APP
    Pkp
    ≤ 2.3.6
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
RCE
CWE
Referencje

Powiązane podatności

CVE-2012-1467MEDIUM6.5ten sam produkt

Multiple directory traversal vulnerabilities in the iBrowser plugin library, as used in Open Journal Systems b...

CVE-2012-1469MEDIUM4.3ten sam produkt

Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attacker...

CVE-2023-5889HIGH8.2ten sam vendor

Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

CVE-2023-5898HIGH8.8ten sam vendor

Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

CVE-2023-5899HIGH8.8ten sam vendor

Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.