I used Acunetix to scan my newly installed OJS 3.3.0-4 version website for vulnerabilities

Describe the issue or problem
I used Acunetix to scan my newly installed OJS 3.3.0-4 version website for vulnerabilities.Then the following weaknesses appear, how to solve them?
1.Chart.js Improper Input Validation Vulnerability
Description
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options areprocessed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of theobject being set are not checked, leading to a prototype pollution.
2.jQuery Validation Other Vulnerability
Description
The jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms. Versions of jquery-validation prior to 1.19.5 are vulnerable toregular expression denial of service (ReDoS) when an attacker is able to supply arbitrary input to the url2 method. This is due to an incomplete fixfor CVE-2021-43306. Users should upgrade to version 1.19.5 to receive a patch.
Description
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able tosupply arbitrary input to the url2 method
3.Vulnerable package dependencies [high]
Description
One or more packages that are used in your web application are affected by known vulnerabilities. Please consult the details section for moreinformation about each affected package.
Affected items
/lib/pkp/
Details
List of vulnerable
composer
packages:
Package:
adodb/adodb-php
Version:
5.20.18
CVE:
CVE-2021-3850
Title:
Improper Authentication
Description:
Authentication Bypass by Primary Weakness in GitHub repository adodb/adodb prior to 5.20.21.
CVSS V2:
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS V3:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE:
CWE-287
References:

https://huntr.dev/bounties/bdf5f216-4499-4225-a737-b28bc6f5801c
https://lists.debian.org/debian-lts-announce/2022/02/msg00006.html
https://www.debian.org/security/2022/dsa-5101

Steps I took leading up to the issue
N/A

What application are you using?
OJS 3.3.0-4

Additional information
N/A

Hi @yen,

If you think you might have found a security problem, next time please follow the instructions in the SECURITY.md document

We are aware of the issues you mention, which are 3rd-party dependencies included in OJS. We review our use of these when they are reported, and ensure that there is no attack surface presenting a risk to our users. When there is, we release a new version with updated (or mitigated) dependencies.

OJS 3.3.0-x is a Long Term Support (LTS) release, which means we commit to maintaining it for security for a period of 3-5 years after it is released. This can prevent us from fully updating dependencies to the latest releases; in that case we look to other approaches such as patching to mitigate any problems that have been reported in the meantime.

tl;dr: these reports do not present attack surfaces in OJS; you’re safe to continue.

However, I note that you’re using OJS 3.3.0-4; that is an old release and I would encourage you to update to either the latest 3.3.0-x (an LTS release) or 3.4.0-x (not an LTS release). For users with limited IT resources, the LTS release is usually the best choice.

Regards,
Alec Smecher
Public Knowledge Project Team

Sorry! I made a typo! I am using the latest version 3.4.0-4. It seems that the title and content of this post cannot be modified. Should I delete it and repost it?

Hi @yen,

Not a problem – just ignore the part about upgrading from OJS 3.3.0-4 to something newer. (By the way, we’re probably going to release OJS 3.4.0-5 this week, with a number of minor fixes.)

Regards,
Alec Smecher
Public Knowledge Project Team

1 Like

This topic was automatically closed after 10 days. New replies are no longer allowed.