CVE-2019-19909 Information

Feb 14, 2021 cve

Description

An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2 as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Manager user visits a crafted URL because unserialize is used.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://github.com/pkp/pkp-lib/compare/3_1_2-1…3_1_2-2 https://github.com/pkp/pkp-lib/issues/5302 https://pkp.sfu.ca/ojs/ojs_download/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8

Share on: