[KIS-2025-10] PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability
嗯,用户让我用中文总结一篇文章,控制在一百个字以内,而且不需要特定的开头。首先,我需要仔细阅读文章内容,找出关键信息。 文章标题是“PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability”,看起来是关于SQL注入漏洞的。接下来,文章提到了受影响的软件版本,包括3.4.0-9及更早版本,以及3.5.0-1及更早版本。这些版本用于OJS、OMP和OPS。 漏洞位于Collector.php中的getQueryBuilder()方法,通过“searchPhrase”参数未正确过滤导致SQL注入。攻击者可能需要特定权限访问API端点。解决方案是升级到3.4.0-10或3.5.0-2及以上版本。漏洞由Egidio Romano发现,并分配了CVE编号。 现在需要把这些信息浓缩到100字以内。要包括软件名称、漏洞类型、影响版本、原因、修复措施和发现者。 可能的结构:PKP-WAL存在SQL注入漏洞,影响某些版本,因输入未过滤导致,需升级修复,由某人发现。 检查字数是否合适,确保不超过限制。 </think> PKP-WAL 存在 SQL 注入漏洞,影响 3.4.0-9 及更早版本和 3.5.0-1 及更早版本。攻击者可通过 "searchPhrase" 参数构造恶意输入,在 /api/v1/institutions 端点执行 SQL 注入攻击。需升级至 3.4.0-10 或 3.5.0-2 及以上版本修复。 2025-12-28 05:19:41 Author: seclists.org(查看原文) 阅读量:3 收藏
嗯,用户让我用中文总结一篇文章,控制在一百个字以内,而且不需要特定的开头。首先,我需要仔细阅读文章内容,找出关键信息。 文章标题是“PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability”,看起来是关于SQL注入漏洞的。接下来,文章提到了受影响的软件版本,包括3.4.0-9及更早版本,以及3.5.0-1及更早版本。这些版本用于OJS、OMP和OPS。 漏洞位于Collector.php中的getQueryBuilder()方法,通过“searchPhrase”参数未正确过滤导致SQL注入。攻击者可能需要特定权限访问API端点。解决方案是升级到3.4.0-10或3.5.0-2及以上版本。漏洞由Egidio Romano发现,并分配了CVE编号。 现在需要把这些信息浓缩到100字以内。要包括软件名称、漏洞类型、影响版本、原因、修复措施和发现者。 可能的结构:PKP-WAL存在SQL注入漏洞,影响某些版本,因输入未过滤导致,需升级修复,由某人发现。 检查字数是否合适,确保不超过限制。 </think> PKP-WAL 存在 SQL 注入漏洞,影响 3.4.0-9 及更早版本和 3.5.0-1 及更早版本。攻击者可通过 "searchPhrase" 参数构造恶意输入,在 /api/v1/institutions 端点执行 SQL 注入攻击。需升级至 3.4.0-10 或 3.5.0-2 及以上版本修复。 2025-12-28 05:19:41 Author: seclists.org(查看原文) 阅读量:3 收藏
Full Disclosure mailing list archives
From: Egidio Romano <n0b0d13s () gmail com>
Date: Tue, 23 Dec 2025 12:17:34 +0100
---------------------------------------------------------------------- PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability ---------------------------------------------------------------------- [-] Software Links: https://pkp.sfu.ca https://github.com/pkp/pkp-lib [-] Affected Versions: PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-9 and prior versions, and version 3.5.0-1 and prior versions, as used in Open Journal Systems (OJS), Open Monograph Press (OMP), and Open Preprint Systems (OPS). [-] Vulnerability Description: The vulnerability is located in the /classes/institution/Collector.php script. Specifically, into the Collector::getQueryBuilder() method, where user input passed through the "searchPhrase" GET parameter is not properly sanitized before being used to construct a SQL query at lines 143 and 148 by leveraging the DB::raw() method. This can be exploited by malicious users to e.g. read sensitive data from the database through boolean-based or time-based SQL Injection attacks. Successful exploitation of this vulnerability requires an account with permissions to access the .../api/v1/institutions API endpoint, such as a "Journal Editor" or "Production Editor" user account on OJS. [-] Proof of Concept: https://karmainsecurity.com/pocs/CVE-2025-67889.php [-] Solution: Upgrade to versions 3.4.0-10, 3.5.0-2, or later. [-] Disclosure Timeline: [25/10/2025] - Vendor notified [26/10/2025] - Vendor fixed the issue and opened a public GitHub issue: https://github.com/pkp/pkp-lib/issues/11977 [12/11/2025] - CVE identifier requested [18/11/2025] - Version 3.4.0-10 released [12/12/2025] - CVE identifier assigned [29/11/2025] - Version 3.5.0-2 released [23/12/2025] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures program (cve.org) has assigned the name CVE-2025-67889 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2025-10 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- [KIS-2025-10] PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability Egidio Romano (Dec 27)
文章来源: https://seclists.org/fulldisclosure/2025/Dec/32
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh