Plattform
php
Komponente
pkp/pkp-lib
Behoben in
3.4.0-4
CVE-2023-5896 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in the pkp-lib GitHub repository prior to version 3.4.0-4. Successful exploitation could allow an attacker to inject malicious scripts into the application, potentially impacting user accounts and system integrity. This vulnerability affects versions of pkp-lib up to and including 3.4.0-4, and a fix is available in version 3.4.0-4.
The XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the pkp-lib application. This code could be executed in the context of a victim's browser when they visit a compromised page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The stored nature of the XSS means the malicious script persists until removed, potentially affecting multiple users over time. While the CVSS score is LOW, the potential for session hijacking and data theft warrants prompt remediation.
CVE-2023-5896 was publicly disclosed on November 1, 2023. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. While the CVSS score is low, proactive patching is recommended to prevent potential exploitation.
Organizations and individuals using Open Journal Systems (OJS) or other applications built on pkp-lib versions prior to 3.4.0-4 are at risk. This includes academic institutions, publishers, and researchers who rely on OJS for managing their journals.
• php / web:
curl -I https://your-ojs-domain.com/ | grep -i content-security-policy• php / web: Review user input fields for improper sanitization and encoding. • php / web: Examine application logs for suspicious JavaScript code being injected or executed. • php / web: Check for unusual user behavior or redirects originating from the application.
disclosure
Exploit-Status
EPSS
0.07% (20% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2023-5896 is to upgrade to version 3.4.0-4 or later of pkp-lib. If an immediate upgrade is not feasible, consider implementing input validation and output encoding on user-supplied data to prevent script injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review and sanitize any user-generated content within the pkp-lib application to identify and remove potentially malicious scripts. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script and verifying it is not executed.
Actualice la biblioteca pkp/pkp-lib a la versión 3.4.0-4 o superior. Esto corregirá la vulnerabilidad XSS almacenada. Puede actualizar la biblioteca utilizando Composer o descargando la última versión del repositorio y reemplazando los archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2023-5896 is a stored Cross-Site Scripting (XSS) vulnerability affecting pkp-lib versions up to 3.4.0-4, allowing attackers to inject malicious scripts.
You are affected if you are using pkp-lib versions 3.4.0-4 or earlier. Check your version and upgrade if necessary.
Upgrade to version 3.4.0-4 or later of pkp-lib. Implement input validation and output encoding as a temporary measure.
As of now, there are no known public exploits or active campaigns targeting CVE-2023-5896.
Refer to the official pkp-lib security advisory on their GitHub repository for detailed information and updates: https://github.com/pkp/pkp-lib/security/advisories/GHSA-796g-355j-499x
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.