Cross-site Scripting (XSS) - Stored in pkp/pkp-lib

The XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the pkp-lib application. This code could be executed in the context of a victim's browser when they visit a compromised page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The stored nature of the XSS means the malicious script persists until removed, potentially affecting multiple users over time. While the CVSS score is LOW, the potential for session hijacking and data theft warrants prompt remediation.

Organizations and individuals using Open Journal Systems (OJS) or other applications built on pkp-lib versions prior to 3.4.0-4 are at risk. This includes academic institutions, publishers, and researchers who rely on OJS for managing their journals.

• php / web:

curl -I https://your-ojs-domain.com/ | grep -i content-security-policy

• php / web: Review user input fields for improper sanitization and encoding. • php / web: Examine application logs for suspicious JavaScript code being injected or executed. • php / web: Check for unusual user behavior or redirects originating from the application.

1. 2023-11-01Disclosure

   disclosure

1. 已保留2023-11-01
2. 发布日期2023-11-01
3. 修改日期2025-02-27
4. EPSS 更新日期2026-04-02

The primary mitigation for CVE-2023-5896 is to upgrade to version 3.4.0-4 or later of pkp-lib. If an immediate upgrade is not feasible, consider implementing input validation and output encoding on user-supplied data to prevent script injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review and sanitize any user-generated content within the pkp-lib application to identify and remove potentially malicious scripts. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script and verifying it is not executed.