Vulnerability Details CVE-2023-47271
PKP-WAL (aka PKP Web Application Library or pkp-lib) before 3.3.0-16, as used in Open Journal Systems (OJS) and other products, does not verify that the file named in an XML document (used for the native import/export plugin) is an image file, before trying to use it for an issue cover image.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 31.1%
CVSS Severity
CVSS v3 Score 5.3
References
- http://packetstormsecurity.com/files/176255/PKP-WAL-3.4.0-3-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2023/Dec/23
- https://github.com/pkp/pkp-lib/issues/9464
- http://packetstormsecurity.com/files/176255/PKP-WAL-3.4.0-3-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2023/Dec/23
- https://github.com/pkp/pkp-lib/issues/9464
Products affected by CVE-2023-47271
-
cpe:2.3:a:sfu:pkp_web_application_library:-
-
cpe:2.3:a:sfu:pkp_web_application_library:3.1.2-0
-
cpe:2.3:a:sfu:pkp_web_application_library:3.1.2-1
-
cpe:2.3:a:sfu:pkp_web_application_library:3.1.2-2
-
cpe:2.3:a:sfu:pkp_web_application_library:3.1.2-3
-
cpe:2.3:a:sfu:pkp_web_application_library:3.1.2-4
-
cpe:2.3:a:sfu:pkp_web_application_library:3.2.0-0
-
cpe:2.3:a:sfu:pkp_web_application_library:3.2.0-1
-
cpe:2.3:a:sfu:pkp_web_application_library:3.2.0-2
-
cpe:2.3:a:sfu:pkp_web_application_library:3.2.0-3
-
cpe:2.3:a:sfu:pkp_web_application_library:3.2.1
-
cpe:2.3:a:sfu:pkp_web_application_library:3.2.1-0
-
cpe:2.3:a:sfu:pkp_web_application_library:3.2.1-1
-
cpe:2.3:a:sfu:pkp_web_application_library:3.2.1-2
-
cpe:2.3:a:sfu:pkp_web_application_library:3.2.1-3
-
cpe:2.3:a:sfu:pkp_web_application_library:3.2.1-4
-
cpe:2.3:a:sfu:pkp_web_application_library:3.2.1-5
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-0
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-1
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-10
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-11
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-12
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-13
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-14
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-15
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-2
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-3
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-4
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-5
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-6
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-7
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-8
-
cpe:2.3:a:sfu:pkp_web_application_library:3.3.0-9