CVE-2024-25438 is a cross-site scripting (XSS) vulnerability identified in the Submission module of the Public Knowledge Project's Open Journal Systems (PKP OJS) version 3.3. The flaw resides in the Add Discussion function, specifically in the Input subject field, where insufficient input sanitization allows attackers to inject crafted payloads containing arbitrary web scripts or HTML. When a victim user views the injected content, the malicious script executes within their browser context, potentially enabling session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability requires no authentication (PR:N) but does require user interaction (UI:R) to trigger the malicious script. The attack vector is network-based (AV:N), meaning exploitation can be attempted remotely over the internet. The vulnerability affects confidentiality and integrity but does not impact availability. The scope is changed (S:C) because the vulnerability affects components beyond the initially vulnerable module, potentially impacting other parts of the application. The CVSS 3.1 base score is 6.1, indicating a medium severity level. No known exploits have been reported in the wild, and no official patches have been released at the time of publication. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. PKP OJS is widely used by academic journals and research institutions for managing and publishing scholarly content, making this vulnerability relevant to the academic publishing sector worldwide.

The primary impact of CVE-2024-25438 is on the confidentiality and integrity of user data within PKP OJS installations. Successful exploitation allows attackers to execute arbitrary scripts in the context of authenticated users, potentially leading to session hijacking, theft of sensitive information such as login credentials or personal data, and unauthorized actions performed with the victim's privileges. Although availability is not directly affected, the breach of confidentiality and integrity can undermine trust in the affected journal platforms and disrupt academic publishing workflows. Organizations relying on PKP OJS for scholarly communication may face reputational damage, data leakage, and compliance issues, especially if sensitive or embargoed research data is exposed. The vulnerability's requirement for user interaction limits automated exploitation but does not eliminate risk, particularly in environments where users may be targeted via phishing or social engineering. The lack of an official patch increases the window of exposure, emphasizing the need for proactive mitigation.

1. Implement strict input validation and sanitization on the Input subject field within the Add Discussion function to neutralize malicious scripts before storage or rendering. 2. Apply output encoding/escaping on all user-supplied content displayed in the web interface to prevent script execution. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser. 4. Educate users about the risks of clicking on suspicious links or interacting with untrusted content within the platform. 5. Monitor official PKP OJS channels for security updates and apply patches promptly once available. 6. Consider deploying web application firewalls (WAFs) with rules targeting XSS attack patterns to provide an additional layer of defense. 7. Review and restrict permissions for users who can add discussions or submit content to minimize exposure. 8. Conduct regular security assessments and code reviews focusing on input handling and output rendering in the affected modules.