EPrints 3.4.2 allows remote malicious users to execute arbitrary commands via crafted input to the verb parameter in a cgi/toolbox/toolbox URI.
eprints eprints 3.4.2