{"id":32546,"date":"2025-12-23T11:54:34","date_gmt":"2025-12-23T11:54:34","guid":{"rendered":"http:\/\/localhost\/?p=32546"},"modified":"2025-12-23T11:54:34","modified_gmt":"2025-12-23T11:54:34","slug":"open-journal-systems-350-1-path-traversal","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=32546","title":{"rendered":"\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal_PACKETSTORM:213266"},"content":{"rendered":"

{“lastseen”:”2025-12-23T17:14:43″,”description”:”Open Journal Systems versions 3.5.0-1 and below suffer from a path traversal vulnerability in NativeXmlIssueGalleyFilter.php…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:213266″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-67890″],”sourceData”:”———————————————————————————————\\n Open Journal Systems \\u003c= 3.5.0-1 (NativeXmlIssueGalleyFilter.php) Path\\n Traversal Vulnerability\\n ———————————————————————————————\\n \\n \\n [-] Software Links:\\n \\n https:\/\/pkp.sfu.ca\/software\/ojs\/\\n https:\/\/github.com\/pkp\/ojs\\n \\n \\n [-] Affected Versions:\\n \\n Version 3.3.0-21 and prior versions.\\n Version 3.4.0-9 and prior versions.\\n Version 3.5.0-1 and prior versions.\\n \\n \\n [-] Vulnerability Description:\\n \\n The vulnerability exists because user input passed to the \\”Native XML\\n Plugin\\” through the issue -\\u003e issue_galleys -\\u003e issue_galley -\\u003e\\n issue_file -\\u003e file_name tag of the imported XML file is not properly\\n sanitized before being used to set the \\”server-side file name\\”, which\\n is later used as the final part of a variable which is used at in a\\n call to the writeFile() method without proper validation. This can be\\n exploited to write\/overwrite arbitrary files on the web server via\\n Path Traversal sequences, potentially leading to, e.g., execution of\\n arbitrary PHP code (RCE).\\n \\n Successful exploitation of this vulnerability requires an account with\\n permissions to access the \\”Import\/Export\\” plugin (\\”Native XML\\n Plugin\\”), such as a \\”Journal Editor\\” or \\”Production Editor\\” user\\n account. Furthermore, in order to perform the following Remote Code\\n Execution (RCE) attack, the attacker should know or guess\/disclose the\\n webserver path in which OJS is located (e.g.\\n \/var\/www\/html\/ojs-3.5.0-1).\\n \\n \\n [-] Solution:\\n \\n Upgrade to versions 3.3.0-22, 3.4.0-10, 3.5.0-2, or later.\\n \\n \\n [-] Disclosure Timeline:\\n \\n [21\/10\/2025] – Vendor notified\\n [24\/10\/2025] – Vendor fixed the issue and opened a public GitHub\\n issue: https:\/\/github.com\/pkp\/pkp-lib\/issues\/11973\\n [12\/11\/2025] – CVE identifier requested\\n [20\/11\/2025] – Version 3.3.0-22 released\\n [22\/11\/2025] – Version 3.4.0-10 released\\n [12\/12\/2025] – CVE identifier assigned\\n [29\/11\/2025] – Version 3.5.0-2 released\\n [23\/12\/2025] – Publication of this advisory\\n \\n \\n [-] CVE Reference:\\n \\n The Common Vulnerabilities and Exposures program (cve.org) has\\n assigned the name CVE-2025-67890 to this vulnerability.\\n \\n \\n [-] Credits:\\n \\n Vulnerability discovered by Egidio Romano.\\n \\n \\n [-] Original Advisory:\\n \\n http:\/\/karmainsecurity.com\/KIS-2025-11″,”sourceHref”:”https:\/\/packetstorm.news\/download\/213266″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213266\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-23T17:14:43″,”description”:”Open Journal Systems versions 3.5.0-1 and below suffer from a path traversal vulnerability in NativeXmlIssueGalleyFilter.php…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:213266″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-67890″],”sourceData”:”———————————————————————————————\\n Open Journal Systems \\u003c=…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-32546","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal_PACKETSTORM:213266 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=32546\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal_PACKETSTORM:213266 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-23T17:14:43″,”description”:”Open Journal Systems versions 3.5.0-1 and below suffer from a path traversal vulnerability in NativeXmlIssueGalleyFilter.php…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:213266″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-67890″],”sourceData”:”———————————————————————————————n Open Journal Systems u003c=...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=32546\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-23T11:54:34+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32546#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32546\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal_PACKETSTORM:213266\",\"datePublished\":\"2025-12-23T11:54:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32546\"},\"wordCount\":505,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=32546#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32546\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32546\",\"name\":\"\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal_PACKETSTORM:213266 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-23T11:54:34+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32546#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=32546\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32546#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal_PACKETSTORM:213266\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal_PACKETSTORM:213266 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=32546","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal_PACKETSTORM:213266 - zero redgem","og_description":"{“lastseen”:”2025-12-23T17:14:43″,”description”:”Open Journal Systems versions 3.5.0-1 and below suffer from a path traversal vulnerability in NativeXmlIssueGalleyFilter.php…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:213266″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-67890″],”sourceData”:”———————————————————————————————n Open Journal Systems u003c=...","og_url":"https:\/\/zero.redgem.net\/?p=32546","og_site_name":"zero redgem","article_published_time":"2025-12-23T11:54:34+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=32546#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=32546"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal_PACKETSTORM:213266","datePublished":"2025-12-23T11:54:34+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=32546"},"wordCount":505,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=32546#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=32546","url":"https:\/\/zero.redgem.net\/?p=32546","name":"\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal_PACKETSTORM:213266 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-23T11:54:34+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=32546#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=32546"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=32546#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Open Journal Systems 3.5.0-1 Path Traversal_PACKETSTORM:213266"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/32546","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=32546"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/32546\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=32546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=32546"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=32546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}