The DropDocuments plugin in KnowledgeTree before 3.5.4a allows remote authenticated users to gain administrative privileges via a certain sequence of "browse documents" and dashboard requests.
https://exchange.xforce.ibmcloud.com/vulnerabilities/47530
http://www.securityfocus.com/bid/32920
http://wiki.knowledgetree.com/Version_3.5.4a#Security