Platform
php
Component
pkp/pkp-lib
Opgelost in
3.3.0-16
CVE-2023-5903 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in the pkp-lib GitHub repository prior to version 3.3.0-16. This vulnerability allows attackers to inject malicious scripts into the application, potentially impacting user accounts and system integrity. Affected versions include those prior to and including 3.3.0-16. A patch has been released in version 3.3.0-16.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the affected Open Journal Systems (OJS) instance. An attacker could craft a malicious URL or inject script into a user-controllable field, triggering the XSS when a user visits the page or interacts with the vulnerable element. The impact is amplified if the OJS instance handles sensitive data or is integrated with other systems, potentially enabling lateral movement within the organization.
CVE-2023-5903 was publicly disclosed on November 1, 2023. No known active exploitation campaigns have been reported at this time. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are not widely available, suggesting a relatively low probability of immediate widespread exploitation.
Organizations and individuals utilizing Open Journal Systems (OJS) instances based on vulnerable versions of pkp-lib are at risk. This includes academic institutions, publishers, and researchers who rely on OJS for managing journals and conference proceedings. Shared hosting environments where multiple OJS instances reside on the same server are particularly vulnerable, as a compromise of one instance could potentially impact others.
• php / server:
find /var/www/html/pkp-lib -name '*.php' -print0 | xargs -0 grep -iE '(<script.*?>)|(<img.*?>)|(<iframe.*?>)'• generic web:
curl -I https://your-ojs-instance.com/ | grep -i 'content-type: text/html'disclosure
Exploit Status
EPSS
0.32% (55% percentiel)
CVSS-vector
The primary mitigation for CVE-2023-5903 is to upgrade to version 3.3.0-16 or later of pkp-lib. If an immediate upgrade is not feasible, consider implementing input validation and output encoding on user-supplied data to prevent script injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and sanitize user-generated content to identify and remove any potentially malicious scripts.
Actualice la biblioteca pkp/pkp-lib a la versión 3.3.0-16 o superior. Esto solucionará la vulnerabilidad XSS almacenada. Puede actualizar la biblioteca utilizando Composer ejecutando el comando 'composer update pkp/pkp-lib'.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2023-5903 is a stored Cross-Site Scripting (XSS) vulnerability affecting pkp-lib versions prior to 3.3.0-16, allowing attackers to inject malicious scripts.
You are affected if you are using pkp-lib version 3.3.0-16 or earlier. Check your version and upgrade if necessary.
Upgrade to version 3.3.0-16 or later of pkp-lib. Consider input validation and WAF rules as interim measures.
No active exploitation campaigns have been reported, but vigilance is still advised.
Refer to the official pkp-lib GitHub repository and security advisories for details: https://github.com/pkp/pkp-lib
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.