Pkp
Products
7- 19 CVEs
- 10 CVEs
- 6 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 0 CVEs
Recent CVEs
36| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-46326 | Med | 0.40 | 6.1 | 0.00 | Oct 21, 2024 | Public Knowledge Project pkp-lib 3.4.0-7 and earlier is vulnerable to Open redirect due to a lack of input sanitization in the logout function. | ||
| CVE-2018-12229 | Med | 0.40 | 6.1 | 0.02 | Jun 12, 2018 | Cross-site scripting (XSS) vulnerability in Public Knowledge Project (PKP) Open Journal System (OJS) 3.0.0 to 3.1.1-1 allows remote attackers to inject arbitrary web script or HTML via the templates/frontend/pages/search.tpl parameter (aka the By Author field). | ||
| CVE-2024-50965 | Med | 0.35 | 5.4 | 0.00 | Nov 22, 2024 | Cross Site Scripting vulnerability in Public Knowledge Project PKP Platform OJS/OMP/OPS- before v.3.3.0.16 allows an attacker to execute arbitrary code and escalate privileges via a crafted script | ||
| CVE-2025-13469 | Low | 0.16 | 2.4 | 0.00 | Nov 20, 2025 | A security vulnerability has been detected in Public Knowledge Project omp and ojs 3.3.0/3.4.0/3.5.0. Impacted is an unknown function of the file plugins/paymethod/manual/templates/paymentForm.tpl of the component Payment Instructions Setting Handler. The manipulation of the… | ||
| CVE-2022-24181 | 0.03 | — | 0.06 | Apr 1, 2022 | Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header. | |||
| CVE-2012-1469 | 0.03 | — | 0.03 | Sep 6, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attackers and remote authenticated users to inject arbitrary web script or HTML via the (1) editor or (2) callback parameters to lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibr… | |||
| CVE-2012-1468 | 0.03 | — | 0.03 | Sep 6, 2012 | Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the… | |||
| CVE-2012-1467 | 0.03 | — | 0.03 | Sep 6, 2012 | Multiple directory traversal vulnerabilities in the iBrowser plugin library, as used in Open Journal Systems before 2.3.7, allow remote authenticated users to (1) delete or (2) rename arbitrary files via a .. (dot dot) in the param parameter to… | |||
| CVE-2024-7902 | 0.00 | — | 0.00 | Aug 17, 2024 | A vulnerability was found in pkp ojs up to 3.4.0-6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login/signOut. The manipulation of the argument source with the input .example.com leads to open redirect. The attack may be… | |||
| CVE-2024-25436 | 0.00 | — | 0.00 | Mar 1, 2024 | A cross-site scripting (XSS) vulnerability in the Production module of Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Input subject field under the Add Discussion function. | |||
| CVE-2024-25434 | 0.00 | — | 0.00 | Mar 1, 2024 | A cross-site scripting (XSS) vulnerability in Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Publicname parameter. | |||
| CVE-2024-24511 | 0.00 | — | 0.01 | Mar 1, 2024 | Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the Input Title component. | |||
| CVE-2024-24512 | 0.00 | — | 0.01 | Mar 1, 2024 | Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the input subtitle component. | |||
| CVE-2024-25438 | 0.00 | — | 0.00 | Mar 1, 2024 | A cross-site scripting (XSS) vulnerability in the Submission module of Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Input subject field under the Add Discussion function. | |||
| CVE-2023-47271 | 0.00 | — | 0.01 | Nov 5, 2023 | PKP-WAL (aka PKP Web Application Library or pkp-lib) before 3.3.0-16, as used in Open Journal Systems (OJS) and other products, does not verify that the file named in an XML document (used for the native import/export plugin) is an image file, before trying to use it for an… | |||
| CVE-2023-5904 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5903 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5900 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5901 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5897 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository pkp/customLocale prior to 1.2.0-1. |
- risk 0.40cvss 6.1epss 0.00
Public Knowledge Project pkp-lib 3.4.0-7 and earlier is vulnerable to Open redirect due to a lack of input sanitization in the logout function.
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in Public Knowledge Project (PKP) Open Journal System (OJS) 3.0.0 to 3.1.1-1 allows remote attackers to inject arbitrary web script or HTML via the templates/frontend/pages/search.tpl parameter (aka the By Author field).
- risk 0.35cvss 5.4epss 0.00
Cross Site Scripting vulnerability in Public Knowledge Project PKP Platform OJS/OMP/OPS- before v.3.3.0.16 allows an attacker to execute arbitrary code and escalate privileges via a crafted script
- risk 0.16cvss 2.4epss 0.00
A security vulnerability has been detected in Public Knowledge Project omp and ojs 3.3.0/3.4.0/3.5.0. Impacted is an unknown function of the file plugins/paymethod/manual/templates/paymentForm.tpl of the component Payment Instructions Setting Handler. The manipulation of the…
- CVE-2022-24181Apr 1, 2022risk 0.03cvss —epss 0.06
Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header.
- CVE-2012-1469Sep 6, 2012risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attackers and remote authenticated users to inject arbitrary web script or HTML via the (1) editor or (2) callback parameters to lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibr…
- CVE-2012-1468Sep 6, 2012risk 0.03cvss —epss 0.03
Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the…
- CVE-2012-1467Sep 6, 2012risk 0.03cvss —epss 0.03
Multiple directory traversal vulnerabilities in the iBrowser plugin library, as used in Open Journal Systems before 2.3.7, allow remote authenticated users to (1) delete or (2) rename arbitrary files via a .. (dot dot) in the param parameter to…
- CVE-2024-7902Aug 17, 2024risk 0.00cvss —epss 0.00
A vulnerability was found in pkp ojs up to 3.4.0-6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login/signOut. The manipulation of the argument source with the input .example.com leads to open redirect. The attack may be…
- CVE-2024-25436Mar 1, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Production module of Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Input subject field under the Add Discussion function.
- CVE-2024-25434Mar 1, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Publicname parameter.
- CVE-2024-24511Mar 1, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the Input Title component.
- CVE-2024-24512Mar 1, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the input subtitle component.
- CVE-2024-25438Mar 1, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Submission module of Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Input subject field under the Add Discussion function.
- CVE-2023-47271Nov 5, 2023risk 0.00cvss —epss 0.01
PKP-WAL (aka PKP Web Application Library or pkp-lib) before 3.3.0-16, as used in Open Journal Systems (OJS) and other products, does not verify that the file named in an XML document (used for the native import/export plugin) is an image file, before trying to use it for an…
- CVE-2023-5904Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5903Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5900Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5901Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5897Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/customLocale prior to 1.2.0-1.