CVE-2019-19909
HIGH WAF: Medium
CVSS 8.8
Published: 2019-12-19
CWE-94 CWE-502
An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2, as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Manager user visits a crafted URL, because unserialize is used.
WAF Coverage Analysis
Code Injection
Medium WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| sfu | open_journal_system | up to 3.1.2-2 |
References
- github.com (Patch, Third Party Advisory)
- github.com (Third Party Advisory)
- pkp.sfu.ca (Vendor Advisory)