Hemant Kashyap

**Name of the Vulnerable Software and Affected Versions** PKP Vendor Open Journal System versions 2.4.8 through 3.3.8 **Description** The issue allows attackers to perform reflected cross-site scripting (XSS) attacks via crafted HTTP headers. This can potentially lead to unauthorized access or control of user sessions. **Recommendations** For versions 2.4.8 through 3.3.8, as a temporary workaround, consider restricting access to crafted HTTP headers until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PKP Open Journals System versions 2.4.8 through 3.3 **Description** The issue allows remote attackers to inject arbitrary code via the `X-Forwarded-Host` Header, enabling cross-site scripting (XSS) attacks. This is achieved through Host Header injection. **Recommendations** For versions 2.4.8 through 3.3, consider restricting access to the `X-Forwarded-Host` Header to minimize the risk of exploitation. As a temporary workaround, disabling the use of the `X-Forwarded-Host` Header until a patch is available can help mitigate the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.