Stored XSS in module named "New Submissions" in pkp/pkp-lib


Reported on

Sep 3rd 2023


I tested the demo site you provided. I see that there is an Stored XSS vulnerability. I hope you can check and provide a fix as soon as possible.

Proof of Concept

Link video Poc


1 .Login as account demo

2 .Access the module Submissions

3 .Then create a New Submissions

4 .Pass the payload to the Title field in the Import Metadata section



5 .Then save the submissions and click on activity log & note and the payload will be executed


Stored XSS (Cross-Site Scripting) is a type of web security vulnerability caused by improper input validation and inadequate data sanitization in a web application. It occurs when an attacker injects malicious scripts (usually in the form of HTML or JavaScript) into a website's database or storage, which is then fetched and displayed to unsuspecting users. These scripts are executed in the browsers of those who visit the infected page, enabling the attacker to steal sensitive information, such as login credentials or personal data, and potentially take control of the user's account or perform malicious actions on their behalf. To prevent stored XSS, developers must implement proper input validation and output encoding to ensure that user-supplied data is treated as plain text and not executed as code on the web page.

We are processing your report and will contact the pkp/pkp-lib team within 24 hours. 6 months ago
We have contacted a member of the pkp/pkp-lib team and are waiting to hear back 5 months ago
Alec Smecher modified the Severity from High (8.4) to Low (3.5) 5 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alec Smecher validated this vulnerability 5 months ago
trunggg02 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alec Smecher marked this as fixed in 3.3.0-16 with commit 83fa56 5 months ago
Alec Smecher has been awarded the fix bounty
5 months ago


@Alec Smecher Hi, on what basis can you judge the level as low?? . Stored XSS is a quite serious vulnerability, attackers can capture users' cookies and take over their accounts. Can you review these reports??

5 months ago


@Alec Smecher You can see the reports that have been published on hunterdev, there is no Stored XSS report with a Low rating.

5 months ago


@admin I don't see the developer responding to my comments

5 months ago


@maintainer You can view other reports??. They all scored at a high level

This vulnerability has now been published 4 months ago
to join this conversation