CVE-2012-1469 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attackers and remote authenticated users to inject arbitrary web script or HTML via the (1) editor or (2) callback parameters to lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php in the iBrowser plugin (3) authors[][url] parameter to index.php or (4) Bio Statement or (5) Abstract of Submission fields to the stripUnsafeHtml function in lib/pkp/classes/core/String.inc.php.

Reference

http://archives.neohapsis.com/archives/bugtraq/2012-03/0102.html http://pkp.sfu.ca/ojs/RELEASE-2.3.7 http://pkp.sfu.ca/support/forum/viewtopic.php?f=2&t=8431 http://secunia.com/advisories/48449 http://secunia.com/advisories/48464 http://www.osvdb.org/80255 http://www.osvdb.org/80256 http://www.osvdb.org/80257 https://exchange.xforce.ibmcloud.com/vulnerabilities/74225 https://exchange.xforce.ibmcloud.com/vulnerabilities/74226 https://exchange.xforce.ibmcloud.com/vulnerabilities/74227 https://exchange.xforce.ibmcloud.com/vulnerabilities/74228 https://www.htbridge.com/advisory/HTB23079 Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attackers and remote authenticated users to inject arbitrary web script or HTML via the (1) editor or (2) callback parameters to lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php in the iBrowser plugin (3) authors[][url] parameter to index.php or (4) Bio Statement or (5) Abstract of Submission fields to the stripUnsafeHtml function in lib/pkp/classes/core/String.inc.php.