Metamorfosec Security Advisory METS-2018-002 A Cross-Site Scripting (XSS) Vulnerability in OMP 1.2.0 to 3.1.1-2 FIRST PUBLISHED: June 24, 2018 VERSION: 1.1 (December 20, 2018) VENDOR: Public Knowledge Project (PKP) (https://pkp.sfu.ca/) PRODUCT: Open Monograph Press (OMP) VERSION AFFECTED: OMP 1.2.0 to 3.1.1-2 CVE-ID: CVE-2018-12588 PRODUCT DESCRIPTION: (Based on description on the official website) Open Monograph Press is an open source software platform for managing the editorial workflow required to see monographs, edited volumes and, scholarly editions through internal and external review, editing, cataloguing, production, and publication. OMP can operate, as well, as a press website with catalog, distribution, and sales capacities. FINDING: Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-2 before 3.1.1-3 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch parameter (aka the Search field). PROOF OF CONCEPT: In the Search Field, please enter "> and then press Enter MITIGATION: Update to OMP 3.1.1-3 or newer ADVISORY TIMELINE: Jun 18, 2018 - Initial contact to vendor. Receive first response from PKP|PS Support. Jun 19, 2018 - Receive second response from PKP|PS Support, an issue tracker on GitHUb created, patch released by vendor, and request for CVE-ID Jun 20, 2018 - Receive CVE-ID Jun 23, 2018 - Official announcement published by vendor Jun 24, 2018 - Update description and references on CVE-ID and publish Advisory v1.0 REVISION HISTORY: Version 1.0 (Jun 24, 2018) - First released Version 1.1 (Dec 20, 2018) - Add Proof of Concept Section (users should have already updated to OMP 3.1.1-3 or newer), update Version, Revision History, and Disclaimer Sections REFERENCES: https://github.com/pkp/pkp-lib/issues/3805 https://forum.pkp.sfu.ca/t/xss-vulnerability-alert/45938 https://forum.pkp.sfu.ca/t/ojs-3-1-1-2-and-omp-3-1-1-3-released/45937 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12588 DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.