修复版本
3.3.0-16
CVE-2023-5895 describes a Cross-Site Scripting (XSS) vulnerability discovered in the pkp-lib GitHub repository, a core component of the Open Journal Systems (OJS) publishing platform. This vulnerability allows an attacker to inject malicious scripts into a user's browser, potentially leading to session hijacking or data theft. The vulnerability affects versions of pkp-lib prior to 3.3.0-16, and a patch has been released to address the issue.
The XSS vulnerability in pkp-lib allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This can be exploited to steal sensitive information, such as cookies and session tokens, which could then be used to impersonate the user. Attackers could also redirect users to malicious websites or deface the OJS website. The DOM-based nature of the vulnerability means the attack doesn't necessarily require direct control over server-side code, making it potentially easier to exploit. Successful exploitation could compromise the confidentiality and integrity of the OJS system and its users’ data.
CVE-2023-5895 was publicly disclosed on November 1, 2023. Currently, there are no reports of active exploitation in the wild. No Proof-of-Concept (PoC) code has been publicly released. The vulnerability is not listed on the CISA KEV catalog as of this writing.
Organizations and individuals using Open Journal Systems (OJS) with versions of pkp-lib prior to 3.3.0-16 are at risk. This includes academic institutions, publishers, and open-access journals that rely on OJS for managing their publications. Shared hosting environments running OJS are particularly vulnerable due to the potential for cross-tenant contamination.
• php / server:
find /var/www/html -name "pkp-lib*" -type d -print0 | xargs -0 grep -i "<script>"• generic web:
curl -I https://your-ojs-site.com/ | grep Content-Security-Policy• generic web: Check for unusual JavaScript code in the page source using browser developer tools.
disclosure
漏洞利用状态
EPSS
0.07% (22% 百分位)
CVSS 向量
The primary mitigation for CVE-2023-5895 is to upgrade pkp-lib to version 3.3.0-16 or later. If an immediate upgrade is not possible due to compatibility concerns or downtime constraints, consider implementing strict input validation and output encoding on all user-supplied data within the OJS application. While not a complete solution, this can reduce the attack surface. Review and harden the OJS configuration to minimize potential attack vectors. Regularly scan the OJS installation for vulnerabilities using automated security tools.
Actualice la biblioteca pkp/pkp-lib a la versión 3.3.0-16 o superior. Esto solucionará la vulnerabilidad XSS. Puede actualizar la biblioteca utilizando Composer ejecutando el comando `composer update pkp/pkp-lib`.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2023-5895 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the pkp-lib component of Open Journal Systems (OJS) affecting versions up to 3.3.0-16, allowing attackers to inject malicious scripts.
You are affected if you are using Open Journal Systems with pkp-lib versions prior to 3.3.0-16. Check your OJS installation version to determine your risk level.
Upgrade pkp-lib to version 3.3.0-16 or later. If immediate upgrade is not possible, implement input validation and output encoding.
As of now, there are no confirmed reports of active exploitation in the wild for CVE-2023-5895.
Refer to the official pkp-lib GitHub repository and the Open Journal Systems website for the latest security advisories and updates related to CVE-2023-5895.