Metamorfosec Security Advisory METS-2018-001 A Cross-Site Scripting (XSS) Vulnerability in OJS 3.0.0 to 3.1.1-1 FIRST PUBLISHED: June 12, 2018 VERSION: 1.3 (December 20, 2018) VENDOR: Public Knowledge Project (PKP) (https://pkp.sfu.ca/) PRODUCT: Open Journal System (OJS) VERSION AFFECTED: OJS 3.0.0 to 3.1.1-1 CVE-ID: CVE-2018-12229 PRODUCT DESCRIPTION: (Based on description on the official website) Open Journal Systems (OJS) is a journal management and publishing system that has been developed by the Public Knowledge Project through its federally funded efforts to expand and improve access to research. OJS assists with every stage of the refereed publishing process, from submissions through to online publication and indexing. Through its management systems, its finely grained indexing of research, and the context it provides for research, OJS seeks to improve both the scholarly and public quality of refereed research. FINDING: Cross-site scripting (XSS) vulnerability in Public Knowledge Project (PKP) Open Journal System (OJS) 3.0.0 to 3.1.1-1 allows remote attackers to inject arbitrary web script or HTML via the templates/frontend/pages/search.tpl $authors parameter (aka the By Author field). PROOF OF CONCEPT: In the By Author Field, please enter "> and then press Enter MITIGATION: Update to OJS 3.1.1-2 or newer. ADVISORY TIMELINE: Jun 9, 2018 - Contact to vendor and get an initial response from Support Associate of PKP Jun 11, 2018 - Get a second response from Associate Director, Strategic Projects and Services of PKP Jun 12, 2018 - Get a response from Lead Developer of PKP, patch released by vendor, Advisory published (v1.0), request for CVE-ID, and get CVE-ID Jun 13, 2018 - Publish Advisory v1.1 Jun 23, 2018 - Official announcement published by vendor Jun 24, 2018 - Update description and references on CVE-ID and publish Advisory v1.2 REVISION HISTORY: Version 1.0 (Jun 12, 2018) - First released Version 1.1 (Jun 13, 2018) - Add Revision History Section, modify sentence at Finding Section in order to same as CVE-ID Description, update Published, Version, CVE-ID, Advisory Timeline, and References Sections Version 1.2 (Jun 24, 2018) - Update title of Advisory, and update Version, Version Affected, Finding, Advisory Timeline, Revision History, and References Sections Version 1.3 (Dec 20, 2018) - Add Proof of Concept Section (users should have already updated to OJS 3.1.1-2 or newer), Update Version, Revision History, and Disclaimer Sections REFERENCES: https://github.com/pkp/pkp-lib/issues/3785 https://forum.pkp.sfu.ca/t/xss-vulnerability-alert/45938 https://forum.pkp.sfu.ca/t/ojs-3-1-1-2-and-omp-3-1-1-3-released/45937 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12229 DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.