CVE-2023-5626 – This Cross-Site Request Forgery (CSRF) vulnerab... (How to Fix)

Q: What is the severity of CVE-2023-5626?

CVE-2023-5626 has a CVSS score of 8.8 (HIGH). This Cross-Site Request Forgery (CSRF) vulnerability in PKP Open Journal Systems (OJS) allows attackers to trick authenticated users into performing unintended actions on their behalf. Users with administrative or editorial privileges in OJS installations are affected. The vulnerability exists in the web interface where state-changing requests lack proper CSRF protection.

📋 TL;DR

This Cross-Site Request Forgery (CSRF) vulnerability in PKP Open Journal Systems (OJS) allows attackers to trick authenticated users into performing unintended actions on their behalf. Users with administrative or editorial privileges in OJS installations are affected. The vulnerability exists in the web interface where state-changing requests lack proper CSRF protection.

💻 Affected Systems

Products:

PKP Open Journal Systems (OJS)

Versions: All versions prior to 3.3.0-16

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with authenticated users. Anonymous users cannot be exploited through this vulnerability.

📦 What is this software?

Open Journal System by Sfu

View all CVEs affecting Open Journal System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create new administrator accounts, modify journal content, delete articles, or change system configurations leading to complete compromise of the journal management system.

🟠

Likely Case

Attackers could modify article metadata, change user permissions, or alter journal settings without the victim's knowledge while they're logged into OJS.

🟢

If Mitigated

With proper CSRF tokens and same-origin policies, the attack would fail as the malicious requests would be rejected by the server.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood and easy to implement. The vulnerability requires the victim to be authenticated and visit a malicious page while logged into OJS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.0-16 and later

Vendor Advisory: https://github.com/pkp/ojs/commit/99a9f393190383454aa5ddffedffc89596f6c682

Restart Required: No

Instructions:

1. Backup your OJS installation and database. 2. Download OJS version 3.3.0-16 or later from the official repository. 3. Replace the existing installation files with the patched version. 4. Clear browser caches and test functionality.

🔧 Temporary Workarounds

Implement CSRF Protection Middleware

all

Add custom CSRF token validation to all state-changing endpoints

# Requires modifying OJS source code to add CSRF tokens to forms and validate them server-side

SameSite Cookie Configuration

all

Configure session cookies with SameSite=Strict attribute

# In OJS configuration or web server config, set session.cookie_samesite = 'Strict'

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block CSRF patterns
Require re-authentication for sensitive administrative actions

🔍 How to Verify

Check if Vulnerable:

Check OJS version in admin dashboard or examine config.THEME_VERSION in config.inc.php

Check Version:

grep -i 'version' config.inc.php | grep -i 'ojs'

Verify Fix Applied:

Verify version is 3.3.0-16 or later and test that forms include CSRF tokens (hidden input fields with random values)

📡 Detection & Monitoring

Log Indicators:

Multiple state-changing requests from same IP without corresponding GET requests
Administrative actions from unexpected user agents or referrers

Network Indicators:

HTTP POST requests to OJS endpoints without Referer header matching OJS domain
Requests with missing or invalid CSRF tokens in patched versions

SIEM Query:

source="ojs_access.log" | where (http_method="POST" AND NOT csrf_token=*) OR (http_method="POST" AND NOT referer CONTAINS "ojs-domain")

📊 Metadata

CVE ID: CVE-2023-5626

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: October 18, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/pkp/ojs/commit/99a9f393190383454aa5ddffedffc89596f6c682 Patch
https://huntr.dev/bounties/c99279c1-709a-4e7b-a042-010c2bb44d6b Exploit,Patch,Third Party Advisory
https://github.com/pkp/ojs/commit/99a9f393190383454aa5ddffedffc89596f6c682 Patch
https://huntr.dev/bounties/c99279c1-709a-4e7b-a042-010c2bb44d6b Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5626, you might also want to check these: