Security scanning of the OJS system by the auditing institution - OJS 3.3.0-8

Hi, today we received information from a public institution, the Computer Security Incident Response Team, regarding an audit conducted on our OJS 3.3.0-8 installation, in which the following vulnerabilities were detected:

  1. An Open Redirect vulnerability was detected, allowing an attacker to craft a link within your domain that redirects to any other site, including potentially malicious sites. The vulnerability was identified at the following addresses:
    https://XXXXXXXXX:443 under the path /.example.com

  2. It was detected that the Nowa noVNC system contains an Open Redirect vulnerability, allowing an attacker to craft a link within your domain that redirects to any other site, including potentially malicious sites. The vulnerability was identified at the following addresses:
    https://XXXXXXXXXX:443 under the path //interact.sh/%2F

Is this issue known to you, and how can the potential vulnerabilities be mitigated?

Thanks
Janels

Hi, @janels . This message appears to point to a component which is not a standard part of OJS: “NoVNC”. This could perhaps refer to a javascript library: https://novnc.com/info.html ; or, to an openstack daemon: https://docs.openstack.org/nova/latest/cli/nova-novncproxy.html

Is this the full text of the vulnerability report, or do you have additional information which was not shared, or which was redacted? If you can share additional information privately, you are welcome to send me a private message.