stored xss using journal-role when user try to export user of any journal in pkp/pkp-lib

Valid

Reported on

Sep 23rd 2023


BUG

stored xss using journal-role when user try to export user of any journal

SUMMURY

lower level user can attack higher level user using this xss

STEP TO REPRODUCE

1. from Admin account create a journal called "journal-A" .

2. Admin goto above journal http://localhost/ojs/index.php/dddd/management/settings/access#users and add a new user called "user-B" with role "Production editor" .
3. Now from user-B goto "user & role" of above journal-A http://localhost/ojs/index.php/dddd/management/settings/access#roles and create a new role with xss payload xss"''><img src=x onerror=alert()> in "Role Name" field .

4. Now goto admin account and goto above journal-A then Statistics->Users . here url look like http://localhost/ojs/index.php/dddd/stats/users/users.
Here admin try to export the users and xss is executed

Impact

lower level user can attack higher level user using this xss

We are processing your report and will contact the pkp/pkp-lib team within 24 hours. 5 months ago
We have contacted a member of the pkp/pkp-lib team and are waiting to hear back 5 months ago
Alec Smecher modified the Severity from Medium (4.3) to Low (2.7) 5 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alec Smecher validated this vulnerability 5 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alec Smecher marked this as fixed in 3.4.0-4 with commit 18b318 5 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation