VYPR

Vendor CVEs

Pkp

All CVEs

36 total · sorted by risk
  • CVE-2024-46326MedOct 21, 2024
    risk 0.40cvss 6.1epss 0.00

    Public Knowledge Project pkp-lib 3.4.0-7 and earlier is vulnerable to Open redirect due to a lack of input sanitization in the logout function.

  • CVE-2018-12229MedJun 12, 2018
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in Public Knowledge Project (PKP) Open Journal System (OJS) 3.0.0 to 3.1.1-1 allows remote attackers to inject arbitrary web script or HTML via the templates/frontend/pages/search.tpl parameter (aka the By Author field).

  • CVE-2024-50965MedNov 22, 2024
    risk 0.35cvss 5.4epss 0.00

    Cross Site Scripting vulnerability in Public Knowledge Project PKP Platform OJS/OMP/OPS- before v.3.3.0.16 allows an attacker to execute arbitrary code and escalate privileges via a crafted script

  • CVE-2025-13469LowNov 20, 2025
    risk 0.16cvss 2.4epss 0.00

    A security vulnerability has been detected in Public Knowledge Project omp and ojs 3.3.0/3.4.0/3.5.0. Impacted is an unknown function of the file plugins/paymethod/manual/templates/paymentForm.tpl of the component Payment Instructions Setting Handler. The manipulation of the…

  • CVE-2022-24181Apr 1, 2022
    risk 0.03cvss epss 0.06

    Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header.

  • CVE-2012-1469Sep 6, 2012
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attackers and remote authenticated users to inject arbitrary web script or HTML via the (1) editor or (2) callback parameters to lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibr…

  • CVE-2012-1468Sep 6, 2012
    risk 0.03cvss epss 0.03

    Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the…

  • CVE-2012-1467Sep 6, 2012
    risk 0.03cvss epss 0.03

    Multiple directory traversal vulnerabilities in the iBrowser plugin library, as used in Open Journal Systems before 2.3.7, allow remote authenticated users to (1) delete or (2) rename arbitrary files via a .. (dot dot) in the param parameter to…

  • CVE-2024-7902Aug 17, 2024
    risk 0.00cvss epss 0.00

    A vulnerability was found in pkp ojs up to 3.4.0-6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login/signOut. The manipulation of the argument source with the input .example.com leads to open redirect. The attack may be…

  • CVE-2024-25436Mar 1, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Production module of Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Input subject field under the Add Discussion function.

  • CVE-2024-25434Mar 1, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Publicname parameter.

  • CVE-2024-24511Mar 1, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the Input Title component.

  • CVE-2024-24512Mar 1, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the input subtitle component.

  • CVE-2024-25438Mar 1, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Submission module of Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Input subject field under the Add Discussion function.

  • CVE-2023-47271Nov 5, 2023
    risk 0.00cvss epss 0.01

    PKP-WAL (aka PKP Web Application Library or pkp-lib) before 3.3.0-16, as used in Open Journal Systems (OJS) and other products, does not verify that the file named in an XML document (used for the native import/export plugin) is an image file, before trying to use it for an…

  • CVE-2023-5904Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5903Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5900Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5901Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5897Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository pkp/customLocale prior to 1.2.0-1.

  • CVE-2023-5898Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5902Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5896Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.4.0-4.

  • CVE-2023-5899Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5895Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - DOM in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5894Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Stored in GitHub repository pkp/ojs prior to 3.3.0-16.

  • CVE-2023-5889Nov 1, 2023
    risk 0.00cvss epss 0.00

    Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5891Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Reflected in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5892Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5893Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5890Nov 1, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2023-5626Oct 17, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository pkp/ojs prior to 3.3.0-16.

  • CVE-2023-4695Sep 1, 2023
    risk 0.00cvss epss 0.01

    Use of Predictable Algorithm in Random Number Generator in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

  • CVE-2022-26616Apr 4, 2022
    risk 0.00cvss epss 0.01

    PKP Vendor Open Journal System v2.4.8 to v3.3.8 allows attackers to perform reflected cross-site scripting (XSS) attacks via crafted HTTP headers.

  • CVE-2019-19909Dec 19, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2, as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Manager user visits a crafted URL, because unserialize is used.

  • CVE-2018-12588MedJun 19, 2018
    risk 0.00cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-2 before 3.1.1-3 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch…