Platform
php
Component
pkp/pkp-lib
Fixed in
3.3.0-16
CVE-2023-5895 describes a Cross-Site Scripting (XSS) vulnerability discovered in the pkp-lib GitHub repository, a core component of the Open Journal Systems (OJS) publishing platform. This vulnerability allows an attacker to inject malicious scripts into a user's browser, potentially leading to session hijacking or data theft. The vulnerability affects versions of pkp-lib prior to 3.3.0-16, and a patch has been released to address the issue.
The XSS vulnerability in pkp-lib allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This can be exploited to steal sensitive information, such as cookies and session tokens, which could then be used to impersonate the user. Attackers could also redirect users to malicious websites or deface the OJS website. The DOM-based nature of the vulnerability means the attack doesn't necessarily require direct control over server-side code, making it potentially easier to exploit. Successful exploitation could compromise the confidentiality and integrity of the OJS system and its users’ data.
CVE-2023-5895 was publicly disclosed on November 1, 2023. Currently, there are no reports of active exploitation in the wild. No Proof-of-Concept (PoC) code has been publicly released. The vulnerability is not listed on the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.07% (22% percentile)
CVSS Vector
The primary mitigation for CVE-2023-5895 is to upgrade pkp-lib to version 3.3.0-16 or later. If an immediate upgrade is not possible due to compatibility concerns or downtime constraints, consider implementing strict input validation and output encoding on all user-supplied data within the OJS application. While not a complete solution, this can reduce the attack surface. Review and harden the OJS configuration to minimize potential attack vectors. Regularly scan the OJS installation for vulnerabilities using automated security tools.
Update the pkp/pkp-lib library to version 3.3.0-16 or higher. This will resolve the XSS vulnerability. You can update the library using Composer by running the command `composer update pkp/pkp-lib`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-5895 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the pkp-lib component of Open Journal Systems (OJS) affecting versions up to 3.3.0-16, allowing attackers to inject malicious scripts.
You are affected if you are using Open Journal Systems with pkp-lib versions prior to 3.3.0-16. Check your OJS installation version to determine your risk level.
Upgrade pkp-lib to version 3.3.0-16 or later. If immediate upgrade is not possible, implement input validation and output encoding.
As of now, there are no confirmed reports of active exploitation in the wild for CVE-2023-5895.
Refer to the official pkp-lib GitHub repository and the Open Journal Systems website for the latest security advisories and updates related to CVE-2023-5895.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.