Jetbox One 2.0.8 and possibly other versions allow remote attackers with Author privileges in the IMAGES module to upload PHP files and execute arbitrary code.
https://exchange.xforce.ibmcloud.com/vulnerabilities/16900
http://www.securityfocus.com/bid/10859