Описание
Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the file in submission/original/ in the associated article directory, as demonstrated using .pHp, .asp, and other extensions.
Комментарий
Per: http://cwe.mitre.org/data/definitions/184.html 'CWE-184: Incomplete Blacklist'
Уязвимые конфигурации
EPSS
6 Medium
CVSS2
Дефекты
Связанные уязвимости
Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the file in submission/original/ in the associated article directory, as demonstrated using .pHp, .asp, and other extensions.
Incomplete blacklist vulnerability in Open Journal Systems before 2.3. ...
Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the file in submission/original/ in the associated article directory, as demonstrated using .pHp, .asp, and other extensions.
EPSS
6 Medium
CVSS2