CVE-2014-8084

Name of the Vulnerable Software and Affected Versions OSClass versions prior to 3.4.3

Description A directory traversal issue allows remote attackers to include and execute arbitrary local files. This is achieved by using a .. (dot dot) in the ajaxfile parameter in a custom action within the oc-includes/osclass/controller/ajax.php file.

Recommendations For versions prior to 3.4.3, update to version 3.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajax.php file or disabling custom actions until a patch is applied. Avoid using the ajaxfile parameter in custom actions until the issue is resolved.