Vulnerabilities > CVE-2012-1468 - Unspecified vulnerability in PKP Open Journal Systems
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the file in submission/original/ in the associated article directory, as demonstrated using .pHp, .asp, and other extensions. Per: http://cwe.mitre.org/data/definitions/184.html 'CWE-184: Incomplete Blacklist'
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | Open Journal Systems (OJS) 2.3.6 Multiple Script Arbitrary File Upload. CVE-2012-1468. Webapps exploit for php platform |
| id | EDB-ID:37001 |
| last seen | 2016-02-04 |
| modified | 2012-03-21 |
| published | 2012-03-21 |
| reporter | High-Tech Bridge |
| source | https://www.exploit-db.com/download/37001/ |
| title | Open Journal Systems OJS 2.3.6 Multiple Script Arbitrary File Upload |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/111073/ojs-shellxss.txt |
| id | PACKETSTORM:111073 |
| last seen | 2016-12-05 |
| published | 2012-03-22 |
| reporter | High-Tech Bridge SA |
| source | https://packetstormsecurity.com/files/111073/Open-Journal-Systems-2.3.6-XSS-File-Manipulation-Shell-Upload.html |
| title | Open Journal Systems 2.3.6 XSS / File Manipulation / Shell Upload |