Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Open Journal Systems 3.5.0-1 Path Traversal

🗓️ 23 Dec 2025 00:00:00Reported by EgiXType 
packetstorm
 packetstorm🔗 packetstorm.news👁 201 Views

Open Journal Systems path traversal via Native XML Plugin enables RCE through file name handling.

Related
Code
ReporterTitlePublishedViews
Family
CVE		CVE-2025-67890
18 Sep 202500:00
cve
Positive Technologies		PT-2025-38403
18 Sep 202500:00
ptsecurity
---------------------------------------------------------------------------------------------
    Open Journal Systems <= 3.5.0-1 (NativeXmlIssueGalleyFilter.php) Path
    Traversal Vulnerability
    ---------------------------------------------------------------------------------------------
    
    
    [-] Software Links:
    
    https://pkp.sfu.ca/software/ojs/
    https://github.com/pkp/ojs
    
    
    [-] Affected Versions:
    
    Version 3.3.0-21 and prior versions.
    Version 3.4.0-9 and prior versions.
    Version 3.5.0-1 and prior versions.
    
    
    [-] Vulnerability Description:
    
    The vulnerability exists because user input passed to the "Native XML
    Plugin" through the issue -> issue_galleys -> issue_galley ->
    issue_file -> file_name tag of the imported XML file is not properly
    sanitized before being used to set the "server-side file name", which
    is later used as the final part of a variable which is used at in a
    call to the writeFile() method without proper validation. This can be
    exploited to write/overwrite arbitrary files on the web server via
    Path Traversal sequences, potentially leading to, e.g., execution of
    arbitrary PHP code (RCE).
    
    Successful exploitation of this vulnerability requires an account with
    permissions to access the "Import/Export" plugin ("Native XML
    Plugin"), such as a "Journal Editor" or "Production Editor" user
    account. Furthermore, in order to perform the following Remote Code
    Execution (RCE) attack, the attacker should know or guess/disclose the
    webserver path in which OJS is located (e.g.
    /var/www/html/ojs-3.5.0-1).
    
    
    [-] Solution:
    
    Upgrade to versions 3.3.0-22, 3.4.0-10, 3.5.0-2, or later.
    
    
    [-] Disclosure Timeline:
    
    [21/10/2025] - Vendor notified
    [24/10/2025] - Vendor fixed the issue and opened a public GitHub
    issue: https://github.com/pkp/pkp-lib/issues/11973
    [12/11/2025] - CVE identifier requested
    [20/11/2025] - Version 3.3.0-22 released
    [22/11/2025] - Version 3.4.0-10 released
    [12/12/2025] - CVE identifier assigned
    [29/11/2025] - Version 3.5.0-2 released
    [23/12/2025] - Publication of this advisory
    
    
    [-] CVE Reference:
    
    The Common Vulnerabilities and Exposures program (cve.org) has
    assigned the name CVE-2025-67890 to this vulnerability.
    
    
    [-] Credits:
    
    Vulnerability discovered by Egidio Romano.
    
    
    [-] Original Advisory:
    
    http://karmainsecurity.com/KIS-2025-11

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Dec 2025 00:00Current
7High risk
Vulners AI Score7
open journal systemsnative xml pluginpath traversalremote code executioneditor access
201