Description
Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with "manage their own media items" and "manage their own entries and comments" permissions to execute arbitrary PHP code by uploading a file with a (1) .pht, (2) .phps, or (3) .phtml extension.
Remediation
References
Related Vulnerabilities
WordPress Plugin W3SCloud Contact Form 7 to Zoho CRM Cross-Site Scripting (1.1.2)
WordPress Plugin Timetable and Event Schedule by MotoPress Cross-Site Scripting (2.3.18)
Drupal Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2009-2372)
Plone CMS Weak Password Requirements Vulnerability (CVE-2020-7940)