Public Knowledge Project OJS and OMP Cross-Site Scripting Vulnerability in Payment Instructions Setting
Vulnerability
A cross-site scripting vulnerability has been identified in Public Knowledge Project's Open Journal Systems (OJS) and Open Monograph Press (OMP) versions 3.3.0, 3.4.0, and 3.5.0. The issue arises in the Payment Instructions Setting Handler, specifically within the file 'plugins/paymethod/manual/templates/paymentForm.tpl'. The vulnerability allows for the injection of scripts through the 'manualInstructions' argument, which are then executed in the context of the user visiting the public-facing page. This issue can be exploited remotely and requires authentication as a Journal Manager or Administrator.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.
Remediation
Users are advised to upgrade to the latest version of Public Knowledge Project OJS or OMP. The patched versions can be downloaded from the Public Knowledge Project GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.