MEDIUM✓ PATCH🇵🇱 Wersja polska

CVE-2012-1467

CVSS 6.5v2.0pub. 2012-09-06upd. 2026-04-29

Multiple directory traversal vulnerabilities in the iBrowser plugin library, as used in Open Journal Systems before 2.3.7, allow remote authenticated users to (1) delete or (2) rename arbitrary files via a .. (dot dot) in the param parameter to lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php.

CVSS Vector
AV:N/AC:L/Au:S/C:P/I:P/A:P
  • Pkp Open Journal Systems

    APP
    Pkp
    ≤ 2.3.6
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2012-1468MEDIUM6.0ten sam produkt

Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with...

CVE-2012-1469MEDIUM4.3ten sam produkt

Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attacker...

CVE-2023-5889HIGH8.2ten sam vendor

Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

CVE-2023-5898HIGH8.8ten sam vendor

Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

CVE-2023-5899HIGH8.8ten sam vendor

Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.