A security vulnerability has been detected in Public Knowledge Project omp and ojs 3.3.0/3.4.0/3.5.0. Impacted is an unknown function of the file plugins/paymethod/manual/templates/paymentForm.tpl of the component Payment Instructions Setting Handler. The manipulation of the argument manualInstructions leads to cross site scripting. The attack can be initiated remotely. You should upgrade the affected component.
Cross-Site Scripting (XSS) vulnerability exists in Public Knowledge Project (PKP) Open Monograph Press (OMP) and Open Journal Systems (OJS) versions 3.3.0, 3.4.0, and 3.5.0. This flaw allows attackers to inject malicious JavaScript code into the manualInstructions field within the payment settings, potentially leading to account compromise, data theft, and website defacement.
Step 1: Payload Delivery: The attacker crafts a malicious JavaScript payload (e.g., <script>alert('XSS')</script>) and embeds it within the manualInstructions field, typically through a crafted HTTP request to the vulnerable application's payment settings configuration.
Step 2: Data Storage: The attacker's crafted payload is stored within the application's database, associated with the payment instructions.
Step 3: Victim Interaction: A legitimate user, such as an administrator or editor, accesses the payment settings page or any page that displays the payment instructions.
Step 4: Payload Execution: The vulnerable application retrieves the manualInstructions data from the database and renders it in the HTML response without proper sanitization. The attacker's JavaScript payload is then executed within the victim's browser, allowing the attacker to perform actions on behalf of the user.
The vulnerability stems from insufficient input validation and output encoding within the plugins/paymethod/manual/templates/paymentForm.tpl file, specifically when handling the manualInstructions parameter. The application fails to properly sanitize user-supplied input before rendering it in the HTML response. This lack of sanitization allows an attacker to inject arbitrary JavaScript code, which is then executed in the context of the victim's browser. The root cause is a missing or inadequate input validation and output encoding mechanism for the manualInstructions parameter, leading to a stored XSS vulnerability.