pkp/pkp-lib
में ठीक किया गया
3.3.0-16
CVE-2023-5901 describes a Cross-Site Scripting (XSS) vulnerability discovered in the pkp-lib library, a core component of the Open Journal Systems (OJS) platform. This vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability affects versions of pkp-lib prior to 3.3.0-16, and a patch has been released to address the issue.
Successful exploitation of CVE-2023-5901 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can be leveraged to steal sensitive information, such as cookies and session tokens, granting the attacker unauthorized access to the user's account. The attacker could also deface the website, redirect users to malicious sites, or perform other actions on behalf of the compromised user. The impact is particularly concerning for OJS installations used by academic institutions and publishers, as these often handle sensitive user data and intellectual property.
CVE-2023-5901 was publicly disclosed on November 1, 2023. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the potential impact warrants prompt remediation. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations and institutions running Open Journal Systems (OJS) with versions of pkp-lib prior to 3.3.0-16 are at risk. This includes academic publishers, university libraries, and research institutions that rely on OJS for managing their journals and publications. Shared hosting environments using OJS are particularly vulnerable due to the potential for cross-tenant contamination.
• php / web: Examine OJS application logs for suspicious JavaScript injection attempts. Use a web application firewall (WAF) to filter out common XSS payloads. • generic web: Use curl/wget to test form fields for XSS vulnerabilities. Inspect response headers for unexpected script tags.
curl -X POST -d "<script>alert(1)</script>" http://your-ojs-instance/index.php/your-journal/aboutdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.15% (36% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2023-5901 is to upgrade pkp-lib to version 3.3.0-16 or later. If an immediate upgrade is not possible due to compatibility issues or downtime constraints, consider implementing input validation and output encoding on user-supplied data within your OJS installation. While not a complete solution, this can help reduce the attack surface. Regularly review and update your OJS installation to ensure you are running the latest security patches. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into a form field and verifying that the script is not executed.
Actualice la biblioteca pkp/pkp-lib a la versión 3.3.0-16 o superior. Esto corregirá la vulnerabilidad de Cross-site Scripting (XSS). Puede actualizar la biblioteca utilizando Composer.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2023-5901 is a Cross-Site Scripting (XSS) vulnerability in the pkp-lib library, a core component of Open Journal Systems (OJS), allowing attackers to inject malicious scripts.
You are affected if you are using pkp-lib versions prior to 3.3.0-16 in your Open Journal Systems (OJS) installation. Check your version and upgrade if necessary.
Upgrade pkp-lib to version 3.3.0-16 or later. Consider implementing input validation and output encoding as a temporary mitigation.
As of now, there are no known public exploits or active campaigns targeting CVE-2023-5901, but prompt remediation is still recommended.
Refer to the official Public Knowledge Project (PKP) security advisories for details: https://security.pkp.org/
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।