CVE-2022-26616 : PKP Vendor Open Journal System v2.4.8 to v3.3.8 allows attackers to perform refl

PKP Vendor Open Journal System v2.4.8 to v3.3.8 allows attackers to perform reflected cross-site scripting (XSS) attacks via crafted HTTP headers.

Published 2022-04-04 13:15:08

Updated 2022-04-11 19:07:01

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2022-26616

Public Knowledge Project » Open Journal Systems
Versions from including (>=) 2.4.8 and before (<) 3.3.0-9
cpe:2.3:a:public_knowledge_project:open_journal_systems:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.96%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 75 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

https://github.com/pkp/pkp-lib/issues/7649

Add support for limiting allowed hosts · Issue #7649 · pkp/pkp-lib · GitHub
Issue Tracking;Mitigation;Third Party Advisory

CVEs referencing this url
https://forum.pkp.sfu.ca/t/ojs-omp-ops-3-3-0-9-released/72236

OJS/OMP/OPS 3.3.0-10 Released - PKP Announcements - PKP Community Forum
Release Notes;Vendor Advisory

Jump to