CVE-2024-50965 identifies a Cross-Site Scripting (XSS) vulnerability in the Public Knowledge Project (PKP) Platform, specifically affecting Open Journal Systems (OJS), Open Monograph Press (OMP), and Open Preprint Systems (OPS) prior to version 3.3.0.16. XSS vulnerabilities arise when an application improperly sanitizes user-supplied input, allowing malicious scripts to be injected and executed in the browsers of other users. In this case, the vulnerability allows an attacker to inject crafted scripts that execute arbitrary code within the context of the affected web application. The attacker requires limited privileges (PR:L) and user interaction (UI:R) to exploit the flaw, which suggests that the attacker might need to trick a user with higher privileges into clicking a malicious link or submitting crafted input. The vulnerability impacts confidentiality and integrity by enabling script execution that could steal session tokens, manipulate content, or escalate privileges within the platform. The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), and scope change (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. No patches or exploits are currently documented, but the vulnerability is publicly disclosed and assigned a medium severity rating with a CVSS score of 5.4. The underlying weakness is classified under CWE-79, which is a common and well-understood web application security flaw. The PKP platform is widely used by academic institutions and publishers globally to manage scholarly content, making the vulnerability relevant to organizations relying on these systems for publishing and peer review workflows.

The primary impact of CVE-2024-50965 is the potential compromise of confidentiality and integrity within affected PKP platforms. Successful exploitation could allow attackers to execute arbitrary JavaScript code in the context of users’ browsers, leading to session hijacking, unauthorized actions, data manipulation, or privilege escalation. This could disrupt editorial workflows, compromise sensitive academic data, or damage the trustworthiness of scholarly publishing platforms. Although availability impact is rated as none, the indirect effects of data corruption or unauthorized access could have operational consequences. Given the widespread use of PKP platforms in academic and research institutions worldwide, the vulnerability could affect a broad range of organizations, especially those with limited security resources or delayed patching processes. The requirement for user interaction and limited privileges reduces the likelihood of automated mass exploitation but does not eliminate targeted attacks, particularly against high-value academic or research targets. The scope change in the CVSS vector indicates that the vulnerability could affect components beyond the initial vulnerable module, increasing the potential reach of an attack.

Organizations should prioritize upgrading PKP platforms to version 3.3.0.16 or later once patches are released to fully remediate CVE-2024-50965. Until patches are available, implement strict input validation and output encoding on all user-supplied data fields to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the application context. Limit user privileges to the minimum necessary, especially for users who can submit or approve content, to reduce the risk of privilege escalation. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. Educate users about the risks of clicking on suspicious links or submitting untrusted content. Monitor web application logs for unusual activity that may indicate attempted exploitation. Consider deploying Web Application Firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting PKP platforms. Finally, maintain an incident response plan that includes procedures for handling web application compromises.