Description
Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with "manage their own media items" and "manage their own entries and comments" permissions to execute arbitrary PHP code by uploading a file with a (1) .pht, (2) .phps, or (3) .phtml extension.
Remediation
References
Related Vulnerabilities
Apache Tomcat Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-1582)
PleskLin Exposure of Resource to Wrong Sphere Vulnerability (CVE-2023-43784)
IBM WebSEAL Weak Password Requirements Vulnerability (CVE-2024-35137)
WordPress Plugin YITH WooCommerce Compare Security Bypass (2.3.13)