Vulnerabilities > CVE-2012-1468 - Unspecified vulnerability in PKP Open Journal Systems
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN pkp
exploit available
Summary
Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the file in submission/original/ in the associated article directory, as demonstrated using .pHp, .asp, and other extensions.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | Open Journal Systems (OJS) 2.3.6 Multiple Script Arbitrary File Upload. CVE-2012-1468. Webapps exploit for php platform |
| id | EDB-ID:37001 |
| last seen | 2016-02-04 |
| modified | 2012-03-21 |
| published | 2012-03-21 |
| reporter | High-Tech Bridge |
| source | https://www.exploit-db.com/download/37001/ |
| title | Open Journal Systems OJS 2.3.6 Multiple Script Arbitrary File Upload |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/111073/ojs-shellxss.txt |
| id | PACKETSTORM:111073 |
| last seen | 2016-12-05 |
| published | 2012-03-22 |
| reporter | High-Tech Bridge SA |
| source | https://packetstormsecurity.com/files/111073/Open-Journal-Systems-2.3.6-XSS-File-Manipulation-Shell-Upload.html |
| title | Open Journal Systems 2.3.6 XSS / File Manipulation / Shell Upload |