Vendor CVEs
Pkp
All CVEs
36 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-46326 | Med | 0.40 | 6.1 | 0.00 | Oct 21, 2024 | Public Knowledge Project pkp-lib 3.4.0-7 and earlier is vulnerable to Open redirect due to a lack of input sanitization in the logout function. | ||
| CVE-2018-12229 | Med | 0.40 | 6.1 | 0.02 | Jun 12, 2018 | Cross-site scripting (XSS) vulnerability in Public Knowledge Project (PKP) Open Journal System (OJS) 3.0.0 to 3.1.1-1 allows remote attackers to inject arbitrary web script or HTML via the templates/frontend/pages/search.tpl parameter (aka the By Author field). | ||
| CVE-2024-50965 | Med | 0.35 | 5.4 | 0.00 | Nov 22, 2024 | Cross Site Scripting vulnerability in Public Knowledge Project PKP Platform OJS/OMP/OPS- before v.3.3.0.16 allows an attacker to execute arbitrary code and escalate privileges via a crafted script | ||
| CVE-2025-13469 | Low | 0.16 | 2.4 | 0.00 | Nov 20, 2025 | A security vulnerability has been detected in Public Knowledge Project omp and ojs 3.3.0/3.4.0/3.5.0. Impacted is an unknown function of the file plugins/paymethod/manual/templates/paymentForm.tpl of the component Payment Instructions Setting Handler. The manipulation of the… | ||
| CVE-2022-24181 | 0.03 | — | 0.06 | Apr 1, 2022 | Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header. | |||
| CVE-2012-1469 | 0.03 | — | 0.03 | Sep 6, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attackers and remote authenticated users to inject arbitrary web script or HTML via the (1) editor or (2) callback parameters to lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibr… | |||
| CVE-2012-1468 | 0.03 | — | 0.03 | Sep 6, 2012 | Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the… | |||
| CVE-2012-1467 | 0.03 | — | 0.03 | Sep 6, 2012 | Multiple directory traversal vulnerabilities in the iBrowser plugin library, as used in Open Journal Systems before 2.3.7, allow remote authenticated users to (1) delete or (2) rename arbitrary files via a .. (dot dot) in the param parameter to… | |||
| CVE-2024-7902 | 0.00 | — | 0.00 | Aug 17, 2024 | A vulnerability was found in pkp ojs up to 3.4.0-6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login/signOut. The manipulation of the argument source with the input .example.com leads to open redirect. The attack may be… | |||
| CVE-2024-25436 | 0.00 | — | 0.00 | Mar 1, 2024 | A cross-site scripting (XSS) vulnerability in the Production module of Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Input subject field under the Add Discussion function. | |||
| CVE-2024-25434 | 0.00 | — | 0.00 | Mar 1, 2024 | A cross-site scripting (XSS) vulnerability in Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Publicname parameter. | |||
| CVE-2024-24511 | 0.00 | — | 0.01 | Mar 1, 2024 | Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the Input Title component. | |||
| CVE-2024-24512 | 0.00 | — | 0.01 | Mar 1, 2024 | Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the input subtitle component. | |||
| CVE-2024-25438 | 0.00 | — | 0.00 | Mar 1, 2024 | A cross-site scripting (XSS) vulnerability in the Submission module of Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Input subject field under the Add Discussion function. | |||
| CVE-2023-47271 | 0.00 | — | 0.01 | Nov 5, 2023 | PKP-WAL (aka PKP Web Application Library or pkp-lib) before 3.3.0-16, as used in Open Journal Systems (OJS) and other products, does not verify that the file named in an XML document (used for the native import/export plugin) is an image file, before trying to use it for an… | |||
| CVE-2023-5904 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5903 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5900 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5901 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5897 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository pkp/customLocale prior to 1.2.0-1. | |||
| CVE-2023-5898 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5902 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5896 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.4.0-4. | |||
| CVE-2023-5899 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5895 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-site Scripting (XSS) - DOM in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5894 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository pkp/ojs prior to 3.3.0-16. | |||
| CVE-2023-5889 | 0.00 | — | 0.00 | Nov 1, 2023 | Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5891 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5892 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5893 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5890 | 0.00 | — | 0.00 | Nov 1, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2023-5626 | 0.00 | — | 0.00 | Oct 17, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository pkp/ojs prior to 3.3.0-16. | |||
| CVE-2023-4695 | 0.00 | — | 0.01 | Sep 1, 2023 | Use of Predictable Algorithm in Random Number Generator in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||
| CVE-2022-26616 | 0.00 | — | 0.01 | Apr 4, 2022 | PKP Vendor Open Journal System v2.4.8 to v3.3.8 allows attackers to perform reflected cross-site scripting (XSS) attacks via crafted HTTP headers. | |||
| CVE-2019-19909 | 0.00 | — | 0.01 | Dec 19, 2019 | An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2, as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Manager user visits a crafted URL, because unserialize is used. | |||
| CVE-2018-12588 | Med | 0.00 | 6.1 | 0.02 | Jun 19, 2018 | Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-2 before 3.1.1-3 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch… |
- risk 0.40cvss 6.1epss 0.00
Public Knowledge Project pkp-lib 3.4.0-7 and earlier is vulnerable to Open redirect due to a lack of input sanitization in the logout function.
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in Public Knowledge Project (PKP) Open Journal System (OJS) 3.0.0 to 3.1.1-1 allows remote attackers to inject arbitrary web script or HTML via the templates/frontend/pages/search.tpl parameter (aka the By Author field).
- risk 0.35cvss 5.4epss 0.00
Cross Site Scripting vulnerability in Public Knowledge Project PKP Platform OJS/OMP/OPS- before v.3.3.0.16 allows an attacker to execute arbitrary code and escalate privileges via a crafted script
- risk 0.16cvss 2.4epss 0.00
A security vulnerability has been detected in Public Knowledge Project omp and ojs 3.3.0/3.4.0/3.5.0. Impacted is an unknown function of the file plugins/paymethod/manual/templates/paymentForm.tpl of the component Payment Instructions Setting Handler. The manipulation of the…
- CVE-2022-24181Apr 1, 2022risk 0.03cvss —epss 0.06
Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header.
- CVE-2012-1469Sep 6, 2012risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attackers and remote authenticated users to inject arbitrary web script or HTML via the (1) editor or (2) callback parameters to lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibr…
- CVE-2012-1468Sep 6, 2012risk 0.03cvss —epss 0.03
Incomplete blacklist vulnerability in Open Journal Systems before 2.3.7 allows remote authenticated users with the Author Role permission to execute arbitrary code by uploading a file with an executable extension that is not ".php", then accessing it via a direct request to the…
- CVE-2012-1467Sep 6, 2012risk 0.03cvss —epss 0.03
Multiple directory traversal vulnerabilities in the iBrowser plugin library, as used in Open Journal Systems before 2.3.7, allow remote authenticated users to (1) delete or (2) rename arbitrary files via a .. (dot dot) in the param parameter to…
- CVE-2024-7902Aug 17, 2024risk 0.00cvss —epss 0.00
A vulnerability was found in pkp ojs up to 3.4.0-6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login/signOut. The manipulation of the argument source with the input .example.com leads to open redirect. The attack may be…
- CVE-2024-25436Mar 1, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Production module of Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Input subject field under the Add Discussion function.
- CVE-2024-25434Mar 1, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Publicname parameter.
- CVE-2024-24511Mar 1, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the Input Title component.
- CVE-2024-24512Mar 1, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the input subtitle component.
- CVE-2024-25438Mar 1, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Submission module of Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Input subject field under the Add Discussion function.
- CVE-2023-47271Nov 5, 2023risk 0.00cvss —epss 0.01
PKP-WAL (aka PKP Web Application Library or pkp-lib) before 3.3.0-16, as used in Open Journal Systems (OJS) and other products, does not verify that the file named in an XML document (used for the native import/export plugin) is an image file, before trying to use it for an…
- CVE-2023-5904Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5903Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5900Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5901Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5897Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/customLocale prior to 1.2.0-1.
- CVE-2023-5898Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5902Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5896Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.4.0-4.
- CVE-2023-5899Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5895Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - DOM in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5894Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/ojs prior to 3.3.0-16.
- CVE-2023-5889Nov 1, 2023risk 0.00cvss —epss 0.00
Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5891Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Reflected in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5892Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5893Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5890Nov 1, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5626Oct 17, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/ojs prior to 3.3.0-16.
- CVE-2023-4695Sep 1, 2023risk 0.00cvss —epss 0.01
Use of Predictable Algorithm in Random Number Generator in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2022-26616Apr 4, 2022risk 0.00cvss —epss 0.01
PKP Vendor Open Journal System v2.4.8 to v3.3.8 allows attackers to perform reflected cross-site scripting (XSS) attacks via crafted HTTP headers.
- CVE-2019-19909Dec 19, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2, as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Manager user visits a crafted URL, because unserialize is used.
- risk 0.00cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-2 before 3.1.1-3 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch…