Cross-site Scripting (XSS) - Reflected in pkp/omp

Valid

Reported on

Oct 10th 2021


✍️ Description

i was able to perform a Reflected XSS against your website/repository. The Reflected XSS vulnerability occurs when the data provided by the attacker is not sanitized by the server, and then reflected "normal" pages returned to other users in the course of regular browsing.

Proof of Concept

Check this video for POC: Video

Impact

This can allow attackers to execute arbitrary JavaScript code in different contexts for different purposes (eg: a malicious attacker could potentially steal the victim's session cookies and completely takeover their accounts).

We have contacted a member of the pkp/omp team and are waiting to hear back 2 months ago
We have contacted a member of the pkp/omp team and are waiting to hear back 2 months ago
We have contacted a member of the pkp/omp team and are waiting to hear back 2 months ago
Alec Smecher validated this vulnerability 2 months ago
0x7zed has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alec Smecher
2 months ago

Maintainer


Filed: https://github.com/pkp/pkp-lib/issues/7378

Alec Smecher confirmed that a fix has been merged on fb419c 2 months ago
Alec Smecher has been awarded the fix bounty