CVE-2024-24511 is a Cross Site Scripting (XSS) vulnerability identified in the Public Knowledge Project’s Open Journal Systems (Pkp OJS), a widely used open-source platform for managing and publishing scholarly journals. The vulnerability arises from insufficient sanitization or encoding of user-supplied data in the Input Title component, which allows an attacker to inject malicious scripts. When a victim views or interacts with the maliciously crafted input, the injected script executes in their browser context, potentially allowing session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, but user interaction is necessary, and the scope is changed, meaning the impact crosses security boundaries. Confidentiality and integrity impacts are low, while availability is unaffected. No specific affected versions are listed, but the vulnerability is associated with version 3.4 of Pkp OJS. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly to prevent exploitation. The CWE-79 classification confirms this is a classic reflected or stored XSS issue.

The impact of this vulnerability is primarily on the confidentiality and integrity of user sessions and data within the Pkp OJS platform. Successful exploitation could allow attackers to steal authentication cookies, perform actions on behalf of legitimate users, or deliver further malicious payloads such as malware or phishing content. This could lead to unauthorized access to journal management functions, manipulation of published content, or exposure of sensitive editorial or user information. While availability is not directly affected, the reputational damage and potential data breaches could have significant consequences for academic publishers and institutions relying on Pkp OJS. Given the platform’s use in scholarly publishing worldwide, exploitation could disrupt academic workflows and undermine trust in digital publishing systems.

Organizations should implement strict input validation and output encoding on all user-supplied data, especially in the Input Title component, to prevent script injection. Until official patches are released, administrators can apply web application firewall (WAF) rules to detect and block malicious payloads targeting this vulnerability. Regularly review and sanitize content submitted by users and contributors. Educate users to be cautious of suspicious links or inputs that could trigger XSS attacks. Monitor logs for unusual activity indicative of exploitation attempts. Once vendor patches or updates are available, prioritize their deployment. Additionally, consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the platform.