CVE-2024-56525

Name of the Vulnerable Software and Affected Versions Public Knowledge Project (PKP) OJS versions prior to 3.3.0.21 Public Knowledge Project (PKP) OMP versions prior to 3.3.0.21 Public Knowledge Project (PKP) OPS versions prior to 3.3.0.21 Public Knowledge Project (PKP) OJS versions 3.4.x prior to 3.4.0.8 Public Knowledge Project (PKP) OMP versions 3.4.x prior to 3.4.0.8 Public Knowledge Project (PKP) OPS versions 3.4.x prior to 3.4.0.8

Description The issue allows an XXE attack by the Journal Editor Role, enabling the creation of a new role as super admin in the journal context and the insertion of a backdoor plugin. This is achieved by uploading a crafted XML document as a User XML Plugin.

Recommendations For Public Knowledge Project (PKP) OJS, OMP, and OPS versions prior to 3.3.0.21, update to version 3.3.0.21 or later. For Public Knowledge Project (PKP) OJS, OMP, and OPS versions 3.4.x prior to 3.4.0.8, update to version 3.4.0.8 or later. As a temporary workaround, consider restricting the upload of XML documents as User XML Plugins to minimize the risk of exploitation.