[FD] [KIS-2025-10] PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability

Sat, 27 Dec 2025 21:31:09 -0800 

----------------------------------------------------------------------
PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability
----------------------------------------------------------------------


[-] Software Links:

https://pkp.sfu.ca
https://github.com/pkp/pkp-lib


[-] Affected Versions:

PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-9
and prior versions, and version 3.5.0-1 and prior versions, as used in
Open Journal Systems (OJS), Open Monograph Press (OMP), and Open
Preprint Systems (OPS).


[-] Vulnerability Description:

The vulnerability is located in the /classes/institution/Collector.php
script. Specifically, into the Collector::getQueryBuilder() method,
where user input passed through the "searchPhrase" GET parameter is
not properly sanitized before being used to construct a SQL query at
lines 143 and 148 by leveraging the DB::raw() method. This can be
exploited by malicious users to e.g. read sensitive data from the
database through boolean-based or time-based SQL Injection attacks.

Successful exploitation of this vulnerability requires an account with
permissions to access the .../api/v1/institutions API endpoint, such
as a "Journal Editor" or "Production Editor" user account on OJS.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2025-67889.php


[-] Solution:

Upgrade to versions 3.4.0-10, 3.5.0-2, or later.


[-] Disclosure Timeline:

[25/10/2025] - Vendor notified
[26/10/2025] - Vendor fixed the issue and opened a public GitHub
issue: https://github.com/pkp/pkp-lib/issues/11977
[12/11/2025] - CVE identifier requested
[18/11/2025] - Version 3.4.0-10 released
[12/12/2025] - CVE identifier assigned
[29/11/2025] - Version 3.5.0-2 released
[23/12/2025] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures program (cve.org) has
assigned the name CVE-2025-67889 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2025-10
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Reply via email to