Omeka suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/items/add' script thru the 'file[0]' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/files/original' directory after successfully disabling the file validation option (or adding something like 'application/x-php' into the allowed MIME types list) and bypassing the rewrite rule in the '.htaccess' file with '.php5' extension. Versions 2.2.1 and 2.2 are affected.
0a1342ee773203c952cf130020bde67a3a822d5d3ee8eec7f9380b7a27d2f503