Vulnerability CVE-2019-19909

Vulnerability CVE-2019-19909

Published: 2019-12-19

Description:

An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2, as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Manager user visits a crafted URL, because unserialize is used.

Type:

CWE-502

(Deserialization of Untrusted Data)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
6.8/10	6.4/10	8.6/10

Exploit range	Attack complexity	Authentication
Remote	Medium	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
SFU -> Open journal system

References:

https://github.com/pkp/pkp-lib/compare/3_1_2-1...3_1_2-2

https://github.com/pkp/pkp-lib/issues/5302

https://pkp.sfu.ca/ojs/ojs_download/

Copyright 2024, cxsecurity.com