Cross-site Scripting (XSS) - DOM in pkp/pkp-lib

The XSS vulnerability in pkp-lib allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This can be exploited to steal sensitive information, such as cookies and session tokens, which could then be used to impersonate the user. Attackers could also redirect users to malicious websites or deface the OJS website. The DOM-based nature of the vulnerability means the attack doesn't necessarily require direct control over server-side code, making it potentially easier to exploit. Successful exploitation could compromise the confidentiality and integrity of the OJS system and its users’ data.

Organizations and individuals using Open Journal Systems (OJS) with versions of pkp-lib prior to 3.3.0-16 are at risk. This includes academic institutions, publishers, and open-access journals that rely on OJS for managing their publications. Shared hosting environments running OJS are particularly vulnerable due to the potential for cross-tenant contamination.

• php / server:

find /var/www/html -name "pkp-lib*" -type d -print0 | xargs -0 grep -i "<script>"

• generic web:

curl -I https://your-ojs-site.com/ | grep Content-Security-Policy

• generic web: Check for unusual JavaScript code in the page source using browser developer tools.

1. 2023-11-01Disclosure

   disclosure

1. आरक्षित2023-11-01
2. प्रकाशित2023-11-01
3. संशोधित2025-02-27
4. EPSS अद्यतन2026-04-02

The primary mitigation for CVE-2023-5895 is to upgrade pkp-lib to version 3.3.0-16 or later. If an immediate upgrade is not possible due to compatibility concerns or downtime constraints, consider implementing strict input validation and output encoding on all user-supplied data within the OJS application. While not a complete solution, this can reduce the attack surface. Review and harden the OJS configuration to minimize potential attack vectors. Regularly scan the OJS installation for vulnerabilities using automated security tools.