{“lastseen”:”2025-12-23T17:14:09″,”description”:”PKP-WAL versions 3.5.0-1 and below suffer from a cross site request forgery vulnerability…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PKP-WAL 3.5.0-1 Cross Site Request Forgery”,”source”:””,”references”:””,”id”:”PACKETSTORM:213269″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-67892″],”sourceData”:”—————————————————————–\\n PKP-WAL \\u003c= 3.5.0-1 Login Cross-Site Request Forgery Vulnerability\\n —————————————————————–\\n \\n \\n [-] Software Links:\\n \\n https:\/\/pkp.sfu.ca\\n https:\/\/github.com\/pkp\/pkp-lib\\n \\n \\n [-] Affected Versions:\\n \\n Version 3.3.0-21 and prior versions.\\n Version 3.4.0-9 and prior versions.\\n Version 3.5.0-1 and prior versions.\\n \\n \\n [-] Vulnerability Description:\\n \\n Open Journal Systems (OJS), Open Monograph Press (OMP), and Open\\n Preprint Systems (OPS) allow users to perform a login without\\n providing the \u201ccsrfToken\u201d parameter, which is included on the\\n client-side, but it\u2019s not validated on the server-side. As such, all\\n these applications are vulnerable to potential \u201cLogin Cross-Site\\n Request Forgery\u201d attacks.\\n \\n \\n [-] Solution:\\n \\n Upgrade to versions 3.3.0-22, 3.4.0-10, 3.5.0-2, or later.\\n \\n \\n [-] Disclosure Timeline:\\n \\n [21\/10\/2025] – Vendor notified\\n \\n [24\/10\/2025] – Vendor fixed the issue and opened a public GitHub\\n issue: https:\/\/github.com\/pkp\/pkp-lib\/issues\/11978\\n \\n [12\/11\/2025] – CVE identifier requested\\n \\n [20\/11\/2025] – Version 3.3.0-22 released\\n \\n [22\/11\/2025] – Version 3.4.0-10 released\\n \\n [12\/12\/2025] – CVE identifier assigned\\n \\n [29\/11\/2025] – Version 3.5.0-2 released\\n \\n [23\/12\/2025] – Publication of this advisory\\n \\n \\n [-] CVE Reference:\\n \\n The Common Vulnerabilities and Exposures program (cve.org) has\\n assigned the name CVE-2025-67892 to this vulnerability.\\n \\n \\n [-] Credits:\\n \\n Vulnerability discovered by Egidio Romano.\\n \\n \\n [-] Original Advisory:\\n \\n http:\/\/karmainsecurity.com\/KIS-2025-14″,”sourceHref”:”https:\/\/packetstorm.news\/download\/213269″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213269\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-23T17:14:09″,”description”:”PKP-WAL versions 3.5.0-1 and below suffer from a cross site request forgery vulnerability…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PKP-WAL 3.5.0-1 Cross Site Request Forgery”,”source”:””,”references”:””,”id”:”PACKETSTORM:213269″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-67892″],”sourceData”:”—————————————————————–\\n PKP-WAL \\u003c= 3.5.0-1 Login Cross-Site Request…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-32541","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n