CVE-2012-1469

Open Journal Systems < 2.3.7 - Cross-Site Scripting via iBrowser Plugin Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2012-1469. PoCs published by High-Tech Bridge.

AI-analyzed exploit summary This is a vulnerability writeup describing multiple issues in Open Journal Systems, including XSS, arbitrary file deletion, and file upload vulnerabilities. It provides a proof-of-concept for an XSS attack via the 'URL' field in the submissions page.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attackers and remote authenticated users to inject arbitrary web script or HTML via the (1) editor or (2) callback parameters to lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php in the iBrowser plugin, (3) authors[][url] parameter to index.php, or (4) Bio Statement or (5) Abstract of Submission fields to the stripUnsafeHtml function in lib/pkp/classes/core/String.inc.php.

Exploits (2)

exploitdb WRITEUP VERIFIED
by High-Tech Bridge · textwebappsphp
https://www.exploit-db.com/exploits/36999

This is a vulnerability writeup describing multiple issues in Open Journal Systems, including XSS, arbitrary file deletion, and file upload vulnerabilities. It provides a proof-of-concept for an XSS attack via the 'URL' field in the submissions page.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Open Journal Systems 2.3.6
Auth required
Prerequisites: Access to the author submission page · Valid article ID
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by High-Tech Bridge · textwebappsphp
https://www.exploit-db.com/exploits/37000

The provided text describes multiple vulnerabilities in Open Journal Systems 2.3.6, including XSS, arbitrary file deletion, and file upload. It includes example payloads for stored XSS but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Open Journal Systems 2.3.6
Auth required
Prerequisites: Access to the submission form · Valid session or authentication
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Various Sources x_refsource_confirm
http://pkp.sfu.ca/support/forum/viewtopic.php?f=2&t=8431
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/74228
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/74225
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/48449
Various Sources x_refsource_confirm
http://pkp.sfu.ca/ojs/RELEASE-2.3.7
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/74227
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/80257
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/80255
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-03/0102.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/48464
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/80256
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/74226

Scores

EPSS 0.0308
EPSS Percentile 86.1%

Details

CWE
CWE-79
Status published
Products (1)
pkp/open_journal_systems < 2.3.6
Published Sep 06, 2012
Tracked Since Feb 18, 2026