| Title | Harvard University Dataverse Project 6.8 build 1994-92d1ec8 Unrestricted Upload |
|---|
| Description | Description
A Critical vulnerability exists in the DataVerse theme customization feature. The application fails to properly validate file uploads on the server side. While the client-side interface restricts uploads to .jpg or .png extensions, this control is easily bypassed by intercepting the HTTP request and modifying the filename and content.
Impact
Successful exploitation allows an attacker to upload and execute arbitrary Java server pages (JSP). This leads to Remote Code Execution (RCE) under the context of the web server user. |
|---|
| Source | ⚠️ https://gist.github.com/KaiqueFerreiraPeres/ba039887d7f894a7c38252314e0ef2cc |
|---|
| User | JustF0rFun (UID 94359) |
|---|
| Submission | 01/29/2026 19:28 (2 months ago) |
|---|
| Moderation | 04/01/2026 11:17 (2 months later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 354616 [Harvard University IQSS Dataverse up to 6.8 Theme Customization /ThemeAndWidgets.xhtml uploadLogo unrestricted upload] |
|---|
| Points | 20 |
|---|