CVE-2024-24512 is a medium severity Cross Site Scripting (XSS) vulnerability identified in the Public Knowledge Project's Open Journal Systems (Pkp OJS) version 3.4. The vulnerability resides in the input subtitle component, where insufficient sanitization of user-supplied input allows an attacker to inject malicious scripts. When a victim user interacts with the crafted input, the malicious code executes in their browser context, potentially leading to theft of session tokens, manipulation of displayed content, or other unauthorized actions within the web application. The vulnerability requires no privileges (PR:N) and can be exploited remotely over the network (AV:N), but it does require user interaction (UI:R) such as viewing a maliciously crafted page or input. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component, impacting confidentiality and integrity (C:L/I:L) but not availability (A:N). The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, resulting in a base score of 6.1. No known exploits have been reported in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which corresponds to improper neutralization of input during web page generation. This flaw could be leveraged by attackers to conduct phishing, session hijacking, or defacement attacks within the academic publishing platform environment.

The primary impact of CVE-2024-24512 is the compromise of confidentiality and integrity within affected Pkp OJS installations. Attackers can execute arbitrary scripts in the context of users interacting with the subtitle input component, potentially stealing sensitive information such as authentication cookies or personal data. This can lead to unauthorized access or manipulation of journal content, undermining trust in the academic publishing platform. While availability is not directly affected, the reputational damage and potential data breaches could have significant consequences for organizations relying on Pkp OJS for scholarly communication. Given the widespread use of Pkp OJS in academic institutions globally, the vulnerability poses a moderate risk to universities, research organizations, and publishers. The requirement for user interaction somewhat limits exploitation, but targeted attacks against editorial staff or contributors remain a concern. Without timely mitigation, attackers could leverage this vulnerability to facilitate further attacks or persistent access.

To mitigate CVE-2024-24512, organizations should implement strict input validation and output encoding on the subtitle component to neutralize malicious scripts. Employing a Content Security Policy (CSP) can help restrict the execution of unauthorized scripts. Administrators should monitor official Pkp OJS channels for patches or updates addressing this vulnerability and apply them promptly once available. In the interim, restricting or sanitizing user input in subtitle fields through custom filters or plugins can reduce risk. Educating users about the dangers of interacting with untrusted content within the platform is also critical. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the subtitle input may provide additional protection. Regular security assessments and code reviews focusing on input handling can prevent similar issues in future releases.