PKP announces the release of OJS 3.1.1-2 and OMP 3.1.1-3.
These are bugfix releases, notably correcting a reflected XSS vulnerability:
- OMP 1.2.0 to 3.1.1-2: Issue #3805
- OJS 3.0.0 to 3.1.1-1: Issue #3785 (also Bootstrap and Health Sciences themes)
This type of vulnerability requires some social engineering to take advantage of, and runs client-side, so does not present a high risk. However, it is worth correcting if you’re running an affected release (and we always recommend staying up to date). If you are unable to upgrade to the latest release, there are patch instructions at the links above.
To download OJS 3.1.1-2, and for information on upgrading from previous releases, please see http://pkp.sfu.ca/ojs_download
To download OMP 3.1.1-3, and for information on upgrading from previous releases, please see http://pkp.sfu.ca/omp_download
See PKP Applications and Security for general information on security.
Thanks to Metamorfosec for discovery & reporting of the XSS issues.