Public Knowledge · Pkp-Lib · CVE-2019-19909
**Name of the Vulnerable Software and Affected Versions**
Public Knowledge Project (PKP) pkp-lib versions prior to 3.1.2-2
Open Journal Systems (OJS) versions prior to 3.1.2-2
**Description**
An issue in the report generator allows code injection if an authenticated Journal Manager user visits a crafted URL. This is due to the use of unserialize, which can lead to code injection.
**Recommendations**
For Public Knowledge Project (PKP) pkp-lib versions prior to 3.1.2-2, update to version 3.1.2-2 or later to resolve the issue.
For Open Journal Systems (OJS) versions prior to 3.1.2-2, update to version 3.1.2-2 or later to resolve the issue.
As a temporary workaround, consider restricting access to the report generator for authenticated Journal Manager users until a patch is available.