Preview
Open Original
Full Disclosure mailing list archives
From: Egidio Romano <n0b0d13s () gmail com> Date: Tue, 23 Dec 2025 12:17:34 +0100
----------------------------------------------------------------------
PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability
----------------------------------------------------------------------
[-] Software Links:
https://pkp.sfu.ca
https://github.com/pkp/pkp-lib
[-] Affected Versions:
PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-9
and prior versions, and version 3.5.0-1 and prior versions, as used in
Open Journal Systems (OJS), Open Monograph Press (OMP), and Open
Preprint Systems (OPS).
[-] Vulnerability Description:
The vulnerability is located in the ...Full Disclosure mailing list archives
From: Egidio Romano <n0b0d13s () gmail com> Date: Tue, 23 Dec 2025 12:17:34 +0100
----------------------------------------------------------------------
PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability
----------------------------------------------------------------------
[-] Software Links:
https://pkp.sfu.ca
https://github.com/pkp/pkp-lib
[-] Affected Versions:
PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-9
and prior versions, and version 3.5.0-1 and prior versions, as used in
Open Journal Systems (OJS), Open Monograph Press (OMP), and Open
Preprint Systems (OPS).
[-] Vulnerability Description:
The vulnerability is located in the /classes/institution/Collector.php
script. Specifically, into the Collector::getQueryBuilder() method,
where user input passed through the "searchPhrase" GET parameter is
not properly sanitized before being used to construct a SQL query at
lines 143 and 148 by leveraging the DB::raw() method. This can be
exploited by malicious users to e.g. read sensitive data from the
database through boolean-based or time-based SQL Injection attacks.
Successful exploitation of this vulnerability requires an account with
permissions to access the .../api/v1/institutions API endpoint, such
as a "Journal Editor" or "Production Editor" user account on OJS.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2025-67889.php
[-] Solution:
Upgrade to versions 3.4.0-10, 3.5.0-2, or later.
[-] Disclosure Timeline:
[25/10/2025] - Vendor notified
[26/10/2025] - Vendor fixed the issue and opened a public GitHub
issue: https://github.com/pkp/pkp-lib/issues/11977
[12/11/2025] - CVE identifier requested
[18/11/2025] - Version 3.4.0-10 released
[12/12/2025] - CVE identifier assigned
[29/11/2025] - Version 3.5.0-2 released
[23/12/2025] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures program (cve.org) has
assigned the name CVE-2025-67889 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2025-10
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- [KIS-2025-10] PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability Egidio Romano (Dec 27)