Vulnerability Details : CVE-2012-1468
Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the file in submission/original/ in the associated article directory, as demonstrated using .pHp, .asp, and other extensions.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2012-1468
Probability of exploitation activity in the next 30 days: 0.73%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 80 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2012-1468
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
References for CVE-2012-1468
- http://pkp.sfu.ca/ojs/RELEASE-2.3.7
-
https://www.htbridge.com/advisory/HTB23079
Multiple vulnerabilities in Open Journal Systems (OJS) - HTB23079 Security Advisory | ImmuniWebExploit
-
http://pkp.sfu.ca/support/forum/viewtopic.php?f=2&t=8431
OJS 2.3.7 Released - PKP Support
Products affected by CVE-2012-1468
- cpe:2.3:a:pkp:open_journal_systems:*:*:*:*:*:*:*:*