Cross-Site Request Forgery (CSRF) in in pkp/pkp-lib


Reported on

Oct 9th 2023


CSRF led to change permissions of participant in Edit Assignment sessions.

Proof of Concept

Video PoC:


This vulnerability is capable of changing permissions assignments of participant

We are processing your report and will contact the pkp/pkp-lib team within 24 hours. 2 months ago
We have contacted a member of the pkp/pkp-lib team and are waiting to hear back 2 months ago
Alec Smecher modified the Severity from Medium (5.4) to Medium (4.3) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alec Smecher validated this vulnerability 2 months ago
0x5468616e68 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alec Smecher marked this as fixed in 3.3.0-16 with commit 2d04e7 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Nov 1st 2023
Alec Smecher published this vulnerability a month ago
to join this conversation