Cross-site Scripting (XSS) - Stored in pkp/pkp-lib

Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the affected Open Journal Systems (OJS) instance. An attacker could craft a malicious URL or inject script into a user-controllable field, triggering the XSS when a user visits the page or interacts with the vulnerable element. The impact is amplified if the OJS instance handles sensitive data or is integrated with other systems, potentially enabling lateral movement within the organization.

Organizations and individuals utilizing Open Journal Systems (OJS) instances based on vulnerable versions of pkp-lib are at risk. This includes academic institutions, publishers, and researchers who rely on OJS for managing journals and conference proceedings. Shared hosting environments where multiple OJS instances reside on the same server are particularly vulnerable, as a compromise of one instance could potentially impact others.

• php / server:

find /var/www/html/pkp-lib -name '*.php' -print0 | xargs -0 grep -iE '(<script.*?>)|(<img.*?>)|(<iframe.*?>)'

• generic web:

curl -I https://your-ojs-instance.com/ | grep -i 'content-type: text/html'

1. 2023-11-01Disclosure

   disclosure

1. आरक्षित2023-11-01
2. प्रकाशित2023-11-01
3. संशोधित2025-02-27
4. EPSS अद्यतन2026-04-02

The primary mitigation for CVE-2023-5903 is to upgrade to version 3.3.0-16 or later of pkp-lib. If an immediate upgrade is not feasible, consider implementing input validation and output encoding on user-supplied data to prevent script injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and sanitize user-generated content to identify and remove any potentially malicious scripts.