Store XSS when Add Reviewer in pkp/pkp-lib


Reported on

Oct 12th 2023


Store XSS when Add Reviewer

Proof of Concept



Video Poc


This security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...

We are processing your report and will contact the pkp/pkp-lib team within 24 hours. 2 months ago
Alec Smecher modified the Severity from Medium (6.3) to Medium (4.6) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alec Smecher validated this vulnerability 2 months ago
HaiNguyen has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alec Smecher marked this as fixed in 3.3.0-16 with commit a868f1 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Nov 1st 2023
Alec Smecher published this vulnerability a month ago
to join this conversation