CVE-2012-1468

Description

Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the file in submission/original/ in the associated article directory, as demonstrated using .pHp, .asp, and other extensions.

Predictions

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

• http://pkp.sfu.ca/ojs/RELEASE-2.3.7
• http://pkp.sfu.ca/support/forum/viewtopic.php?f=2&t=8431
• https://www.htbridge.com/advisory/HTB23079
• http://pkp.sfu.ca/ojs/RELEASE-2.3.7
• http://pkp.sfu.ca/support/forum/viewtopic.php?f=2&t=8431
• https://www.htbridge.com/advisory/HTB23079

💬 Discuss CVE-2012-1468 on VIR Community →

Community-verified mitigations for this CVE will appear above when contributors publish them.