Unrated severityNVD Advisory· Published Sep 6, 2012· Updated Apr 29, 2026

CVE-2012-1469

Description

Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attackers and remote authenticated users to inject arbitrary web script or HTML via the (1) editor or (2) callback parameters to lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php in the iBrowser plugin, (3) authors[][url] parameter to index.php, or (4) Bio Statement or (5) Abstract of Submission fields to the stripUnsafeHtml function in lib/pkp/classes/core/String.inc.php.

Affected products

Pkp/Open Journal Systems
cpe:2.3:a:pkp:open_journal_systems:*:*:*:*:*:*:*:*
Range: <=2.3.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

archives.neohapsis.com/archives/bugtraq/2012-03/0102.htmlnvdExploit
www.htbridge.com/advisory/HTB23079nvdExploit
secunia.com/advisories/48449nvdVendor Advisory
secunia.com/advisories/48464nvdVendor Advisory
pkp.sfu.ca/ojs/RELEASE-2.3.7nvd
pkp.sfu.ca/support/forum/viewtopic.phpnvd
www.osvdb.org/80255nvd
www.osvdb.org/80256nvd
www.osvdb.org/80257nvd
exchange.xforce.ibmcloud.com/vulnerabilities/74225nvd
exchange.xforce.ibmcloud.com/vulnerabilities/74226nvd
exchange.xforce.ibmcloud.com/vulnerabilities/74227nvd
exchange.xforce.ibmcloud.com/vulnerabilities/74228nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.020
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000