Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the file in submission/original/ in the associated article directory, as demonstrated using .pHp, .asp, and other extensions. Per: http://cwe.mitre.org/data/definitions/184.html 'CWE-184: Incomplete Blacklist'
Publication date: Fri, 07 Sep 2012 02:55:00 +0000