Muhammad Hendra

**Name of the Vulnerable Software and Affected Versions** Public Knowledge Project (PKP) OJS versions prior to 3.3.0.21 Public Knowledge Project (PKP) OMP versions prior to 3.3.0.21 Public Knowledge Project (PKP) OPS versions prior to 3.3.0.21 Public Knowledge Project (PKP) OJS versions 3.4.x prior to 3.4.0.8 Public Knowledge Project (PKP) OMP versions 3.4.x prior to 3.4.0.8 Public Knowledge Project (PKP) OPS versions 3.4.x prior to 3.4.0.8 **Description** The issue allows an XXE attack by the Journal Editor Role, enabling the creation of a new role as super admin in the journal context and the insertion of a backdoor plugin. This is achieved by uploading a crafted XML document as a User XML Plugin. **Recommendations** For Public Knowledge Project (PKP) OJS, OMP, and OPS versions prior to 3.3.0.21, update to version 3.3.0.21 or later. For Public Knowledge Project (PKP) OJS, OMP, and OPS versions 3.4.x prior to 3.4.0.8, update to version 3.4.0.8 or later. As a temporary workaround, consider restricting the upload of XML documents as User XML Plugins to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Public Knowledge Project PKP Platform OJS/OMP/OPS versions prior to 3.3.0.16 Description: The issue allows an attacker to execute arbitrary code and escalate privileges via a crafted script. This is a Cross Site Scripting vulnerability. Recommendations: For versions prior to 3.3.0.16, update to version 3.3.0.16 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the platform to minimize the risk of exploitation.