Gratis scannen
LOWCVE-2023-5904CVSS 2.7

Cross-site Scripting (XSS) - Stored in pkp/pkp-lib

wordt vertaald…

Platform

php

Component

pkp/pkp-lib

Opgelost in

3.3.0-16

AI Confidence: highNVDEPSS 0.3%Beoordeeld: mei 2026
Bekijk op NVD
Opslaan
Wordt vertaald naar uw taal…

CVE-2023-5904 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in the pkp-lib GitHub repository prior to version 3.3.0-16. Successful exploitation could allow an attacker to inject malicious scripts into the application, potentially leading to unauthorized access or data theft. This vulnerability affects users running versions of pkp-lib equal to or below 3.3.0-16, and a patch is available in version 3.3.0-16.

Impact en Aanvalsscenarioswordt vertaald…

The primary impact of CVE-2023-5904 is the potential for Cross-Site Scripting (XSS) attacks. An attacker could inject malicious JavaScript code into the pkp-lib application, which would then be executed in the browsers of unsuspecting users. This could lead to various consequences, including session hijacking, redirection to malicious websites, and the theft of sensitive user data such as cookies and authentication tokens. The attacker could potentially gain control of user accounts or compromise the integrity of the application itself. The scope of impact depends on the specific functionality affected by the XSS vulnerability and the privileges of the affected users.

Uitbuitingscontextwordt vertaald…

CVE-2023-5904 was publicly disclosed on November 1, 2023. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 2.7 indicates a low severity, suggesting a relatively low probability of exploitation. No KEV listing is currently available.

Wie Loopt Risicowordt vertaald…

Organizations and individuals using Open Journal Systems (OJS) or other applications built on pkp-lib versions 3.3.0-16 and earlier are at risk. This includes academic institutions, publishers, and researchers who rely on these platforms for managing and publishing scholarly content. Shared hosting environments using vulnerable versions of pkp-lib are particularly susceptible.

Detectiestappenwordt vertaald…

• php / server:

grep -r "<script" /path/to/pkp-lib/code

• generic web:

curl -I <affected_url> | grep -i content-security-policy

Aanvalstijdlijn

  1. Disclosure

    disclosure

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog

EPSS

0.31% (54% percentiel)

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N2.7LOWAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredHighVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeUnchangedImpact buiten het getroffen onderdeelConfidentialityLowRisico op blootstelling van gevoelige dataIntegrityNoneRisico op ongeautoriseerde gegevenswijzigingAvailabilityNoneRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Hoog — beheerder of geprivilegieerd account vereist.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Ongewijzigd — impact beperkt tot het kwetsbare component.
Confidentiality
Laag — gedeeltelijke toegang tot enkele gegevens.
Integrity
Geen — geen integriteitsimpact.
Availability
Geen — geen beschikbaarheidsimpact.

Getroffen Software

Componentpkp/pkp-lib
Leverancierpkp
Getroffen bereikOpgelost in
3.0.0 – 3.3.0-153.3.0-16

Zwakheidsclassificatie (CWE)

CWE-79

Tijdlijn

  1. Gereserveerd
  2. Gepubliceerd
  3. Gewijzigd
  4. EPSS bijgewerkt

Mitigatie en Workaroundswordt vertaald…

The recommended mitigation for CVE-2023-5904 is to immediately upgrade to version 3.3.0-16 or later. This version contains a fix that addresses the underlying vulnerability. If upgrading is not immediately feasible, consider implementing input validation and output encoding techniques to sanitize user-supplied data and prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to inject a simple XSS payload into a vulnerable input field and verifying that the script is not executed.

Hoe te verhelpenwordt vertaald…

Actualice la biblioteca pkp/pkp-lib a la versión 3.3.0-16 o superior. Esto solucionará la vulnerabilidad XSS almacenada. Puede actualizar la biblioteca utilizando Composer.

CVE Beveiligingsnieuwsbrief

Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.

Veelgestelde vragenwordt vertaald…

What is CVE-2023-5904 — XSS in pkp-lib Open Journal Systems?

CVE-2023-5904 is a stored Cross-Site Scripting (XSS) vulnerability affecting pkp-lib versions up to 3.3.0-16, allowing attackers to inject malicious scripts.

Am I affected by CVE-2023-5904 in pkp-lib Open Journal Systems?

You are affected if you are using pkp-lib versions 3.3.0-16 or earlier. Check your version and upgrade immediately.

How do I fix CVE-2023-5904 in pkp-lib Open Journal Systems?

Upgrade to version 3.3.0-16 or later to resolve the vulnerability. Consider input validation and WAF rules as interim measures.

Is CVE-2023-5904 being actively exploited?

There are currently no known public exploits or active campaigns targeting CVE-2023-5904, but vigilance is still advised.

Where can I find the official pkp-lib advisory for CVE-2023-5904?

Refer to the official pkp-lib security advisories on their GitHub repository or website for detailed information and updates.

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken