CVE-2012-2902

Name of the Vulnerable Software and Affected Versions Joomla Content Editor (JCE) component versions prior to 2.1

Description The issue allows remote authors to execute arbitrary PHP code by uploading a PHP file with a double extension. This can be achieved when chunking is set to greater than zero in the editor/extensions/browser/file.php file.

Recommendations For versions prior to 2.1, update to version 2.1 or later to resolve the issue. As a temporary workaround, consider restricting file uploads or disabling the chunking feature in the editor/extensions/browser/file.php file until a patch is available. Restrict access to the file.php module to minimize the risk of exploitation. Avoid using double extensions in file uploads until the issue is resolved.