pkp/pkp-lib
GitHub
CVE History
| CVE | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|
| 2.4 LOW | 3.3 LOW | ||
A security vulnerability has been detected in Public Knowledge Project omp and ojs 3.3.0/3.4.0/3.5.0. Impacted is an unknown function of the file plugins/paymethod/manual/templates/paymentForm.tpl of the component Payment Instructions Setting Handler. The manipulation of the argument manualInstructions leads to cross site scripting. The attack can be initiated remotely. You should upgrade the affected component. | |||
| 6.1 MEDIUM | — | ||
Public Knowledge Project pkp-lib 3.4.0-7 and earlier is vulnerable to Open redirect due to a lack of input sanitization in the logout function. | |||
| 5.4 MEDIUM | — | ||
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 5.4 MEDIUM | — | ||
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 4.3 MEDIUM | — | ||
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 3.5 LOW | — | ||
Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 3.5 LOW | — | ||
Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 5.3 MEDIUM | — | ||
PKP-WAL (aka PKP Web Application Library or pkp-lib) before 3.3.0-16, as used in Open Journal Systems (OJS) and other products, does not verify that the file named in an XML document (used for the native import/export plugin) is an image file, before trying to use it for an issue cover image. | |||
| 8.8 HIGH | — | ||
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 8.8 HIGH | — | ||
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 5.4 MEDIUM | — | ||
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 8.8 HIGH | — | ||
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 5.4 MEDIUM | — | ||
Cross-site Scripting (XSS) - DOM in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 5.4 MEDIUM | — | ||
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.4.0-4. | |||
| 5.4 MEDIUM | — | ||
Cross-site Scripting (XSS) - Reflected in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 5.4 MEDIUM | — | ||
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 8.2 HIGH | — | ||
Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 8.1 HIGH | — | ||
Use of Predictable Algorithm in Random Number Generator in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| 6.1 MEDIUM | 4.3 MEDIUM | ||
PKP Vendor Open Journal System v2.4.8 to v3.3.8 allows attackers to perform reflected cross-site scripting (XSS) attacks via crafted HTTP headers. | |||
| 6.1 MEDIUM | 4.3 MEDIUM | ||
Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header. | |||
| 8.8 HIGH | 6.8 MEDIUM | ||
An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2, as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Manager user visits a crafted URL, because unserialize is used. | |||
| — | 4.3 MEDIUM | ||
Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-2 before 3.1.1-3 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch parameter (aka the Search field). | |||
| — | 4.3 MEDIUM | ||
Cross-site scripting (XSS) vulnerability in Public Knowledge Project (PKP) Open Journal System (OJS) 3.0.0 to 3.1.1-1 allows remote attackers to inject arbitrary web script or HTML via the templates/frontend/pages/search.tpl parameter (aka the By Author field). | |||