Stored xss using journal-name in journal-tab in pkp/pkp-lib

Valid

Reported on

Sep 11th 2023

BUG

Stored xss using journal-name in journal-tab

ACCOUNT

1. user-A --> superadmin --> Victim --> Firefox browser Normal mode
2. user-B --> journal manager --> Attacker --> Firefox browser Container-1\

STEP TO RERPODUCE

1. From user-A account create a journal called "journal-A".

2. Add user-B to this journal as "journal manager" .i already did

3. Login into user-B account and change journal name to xss payloadxss"'><img src=x onerror=alert(document.domain)>

4. from user-A account open journal-statistics in http://localhost/ojs-3.4.0-3/index.php/xss/stats/context/context and see xss is executed \

IMPACT

Using this xss attacker(user-B) can execute any javascript code in victim(user-A) account . And can full control over the victim account by executing any javascript code

VIDEO POC

https://drive.google.com/file/d/1iA456XdYaWe7qgkkkhp_I3Wzlr8fn2Re/view?usp=sharing

Impact

Using this xss attacker(user-B) can execute any javascript code in victim(user-A) account . And can full control over the victim account by executing any javascript code

We are processing your report and will contact the pkp/pkp-lib team within 24 hours. 3 months ago
We have contacted a member of the pkp/pkp-lib team and are waiting to hear back 3 months ago
Alec Smecher modified the Severity from Critical (9.1) to Low (2.7) 3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alec Smecher validated this vulnerability 3 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alec Smecher marked this as fixed in 3.3.0-16 with commit aa5c6a 3 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Nov 1st 2023
Alec Smecher
3 months ago

@ranjit-git, I have decreased the severity of the issue significantly from what you originally reported. The field you are using to demonstrate the vulnerability requires a high level of privileges in order to use; this user already has the ability to include arbitrary Javascript, so there is no privilege escalation.

Alec Smecher published this vulnerability a month ago
to join this conversation