Plataforma
php
Componente
pkp/pkp-lib
Corrigido em
3.3.0-16
CVE-2023-5904 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in the pkp-lib GitHub repository prior to version 3.3.0-16. Successful exploitation could allow an attacker to inject malicious scripts into the application, potentially leading to unauthorized access or data theft. This vulnerability affects users running versions of pkp-lib equal to or below 3.3.0-16, and a patch is available in version 3.3.0-16.
The primary impact of CVE-2023-5904 is the potential for Cross-Site Scripting (XSS) attacks. An attacker could inject malicious JavaScript code into the pkp-lib application, which would then be executed in the browsers of unsuspecting users. This could lead to various consequences, including session hijacking, redirection to malicious websites, and the theft of sensitive user data such as cookies and authentication tokens. The attacker could potentially gain control of user accounts or compromise the integrity of the application itself. The scope of impact depends on the specific functionality affected by the XSS vulnerability and the privileges of the affected users.
CVE-2023-5904 was publicly disclosed on November 1, 2023. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 2.7 indicates a low severity, suggesting a relatively low probability of exploitation. No KEV listing is currently available.
Organizations and individuals using Open Journal Systems (OJS) or other applications built on pkp-lib versions 3.3.0-16 and earlier are at risk. This includes academic institutions, publishers, and researchers who rely on these platforms for managing and publishing scholarly content. Shared hosting environments using vulnerable versions of pkp-lib are particularly susceptible.
• php / server:
grep -r "<script" /path/to/pkp-lib/code• generic web:
curl -I <affected_url> | grep -i content-security-policydisclosure
Status do Exploit
EPSS
0.31% (percentil 54%)
Vetor CVSS
The recommended mitigation for CVE-2023-5904 is to immediately upgrade to version 3.3.0-16 or later. This version contains a fix that addresses the underlying vulnerability. If upgrading is not immediately feasible, consider implementing input validation and output encoding techniques to sanitize user-supplied data and prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to inject a simple XSS payload into a vulnerable input field and verifying that the script is not executed.
Actualice la biblioteca pkp/pkp-lib a la versión 3.3.0-16 o superior. Esto solucionará la vulnerabilidad XSS almacenada. Puede actualizar la biblioteca utilizando Composer.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2023-5904 is a stored Cross-Site Scripting (XSS) vulnerability affecting pkp-lib versions up to 3.3.0-16, allowing attackers to inject malicious scripts.
You are affected if you are using pkp-lib versions 3.3.0-16 or earlier. Check your version and upgrade immediately.
Upgrade to version 3.3.0-16 or later to resolve the vulnerability. Consider input validation and WAF rules as interim measures.
There are currently no known public exploits or active campaigns targeting CVE-2023-5904, but vigilance is still advised.
Refer to the official pkp-lib security advisories on their GitHub repository or website for detailed information and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.