CVE-2019-19909

Name of the Vulnerable Software and Affected Versions Public Knowledge Project (PKP) pkp-lib versions prior to 3.1.2-2 Open Journal Systems (OJS) versions prior to 3.1.2-2

Description An issue in the report generator allows code injection if an authenticated Journal Manager user visits a crafted URL. This is due to the use of unserialize, which can lead to code injection.

Recommendations For Public Knowledge Project (PKP) pkp-lib versions prior to 3.1.2-2, update to version 3.1.2-2 or later to resolve the issue. For Open Journal Systems (OJS) versions prior to 3.1.2-2, update to version 3.1.2-2 or later to resolve the issue. As a temporary workaround, consider restricting access to the report generator for authenticated Journal Manager users until a patch is available.