CVE-2024-24512 in ojsinfo

Summary

by MITRE • 03/02/2024

Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the input subtitle component.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/18/2025

The Cross Site Scripting vulnerability identified as CVE-2024-24512 affects the Public Knowledge Project Open Journal Systems version 3.4, representing a critical security flaw that enables remote code execution through manipulated input fields. This vulnerability specifically targets the subtitle component within the journal management interface, creating an attack vector that can be exploited by malicious actors to inject malicious scripts into the application's web interface. The flaw stems from inadequate input validation and sanitization mechanisms within the OJS framework, allowing attackers to bypass security controls that should prevent the execution of unauthorized code within the context of the application.

The technical implementation of this vulnerability resides in the insufficient filtering of user-supplied data within the subtitle field processing logic. When users submit content containing malicious script tags or other harmful code elements through the subtitle component, the application fails to properly sanitize or escape these inputs before rendering them in the web interface. This lack of proper input validation creates a persistent cross site scripting condition that can be leveraged to execute arbitrary JavaScript code within the browser context of authenticated users. The vulnerability operates under CWE-79 which categorizes improper neutralization of input during web page generation, specifically targeting the failure to properly escape or validate user-supplied data.

The operational impact of this vulnerability extends beyond simple script execution to encompass potential data breaches, session hijacking, and privilege escalation within the journal management system. Attackers can exploit this weakness to steal administrative credentials, modify journal content, or redirect users to malicious websites that can harvest sensitive information from authenticated sessions. The attack surface is particularly concerning given that OJS serves as a widely-used platform for academic publishing, making it a potentially attractive target for threat actors seeking to compromise research institutions or academic organizations. The vulnerability can be exploited by unauthenticated attackers who may not require specific privileges to initiate the malicious payload, though the full impact may depend on the user context and available permissions within the affected system.

Mitigation strategies for CVE-2024-24512 should prioritize immediate patch application from the vendor, as this represents a critical vulnerability requiring urgent attention. Organizations running affected versions of OJS should implement comprehensive input validation measures including the adoption of proper HTML escaping techniques, regular expression filtering for script tags, and content security policy implementations to prevent unauthorized code execution. The defense in depth approach should include monitoring for suspicious input patterns, implementing web application firewalls, and conducting regular security assessments of the journal management infrastructure. Additionally, administrators should consider implementing multi-factor authentication and role-based access controls to limit the potential damage from successful exploitation attempts. This vulnerability aligns with ATT&CK technique T1566 which covers social engineering attacks through malicious input, and T1059 which involves executing malicious code through various attack vectors including script injection methods.

Reservation

01/25/2024

Disclosure

03/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00528

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!