CVE-2022-24181

MEDIUM NUCLEI

PKP Open Journals System >=2.4.8 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-24181. PoCs published by Hemant Kashyap, cyberhawk000. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a writeup describing a Cross-Site Scripting (XSS) vulnerability in PKP Open Journals System versions 2.4.8 to 3.3.8 via Host Header injection. The steps outline how to exploit the vulnerability to steal password reset tokens.

Description

Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header.

Exploits (2)

exploitdb WRITEUP
by Hemant Kashyap · textwebappsphp
https://www.exploit-db.com/exploits/50881

This is a writeup describing a Cross-Site Scripting (XSS) vulnerability in PKP Open Journals System versions 2.4.8 to 3.3.8 via Host Header injection. The steps outline how to exploit the vulnerability to steal password reset tokens.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PKP Open Journals System 2.4.8 to 3.3.8
No auth needed
Prerequisites: Access to the target site · Ability to intercept and modify HTTP requests
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by cyberhawk000 · poc
https://github.com/cyberhawk000/CVE-2022-24181

This repository provides a writeup for CVE-2022-24181, detailing an XSS vulnerability via Host Header injection in Open Journal Systems (OJS). It includes steps to reproduce the exploit and a Google dork for finding vulnerable instances.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Open Journal Systems (OJS) versions 2.4.8 to 3.3.8
No auth needed
Prerequisites: Access to a vulnerable OJS instance · Ability to intercept and modify HTTP requests (e.g., using Burp Suite)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

PKP Open Journal Systems 2.4.8-3.3 - Cross-Site Scripting
MEDIUMVERIFIEDby lucasljm2001,ekrause
Shodan: cpe:"cpe:2.3:a:public_knowledge_project:open_journal_systems"

References (1)

Core 1
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/pkp/pkp-lib/issues/7649

Scores

CVSS v3 6.1
EPSS 0.0608
EPSS Percentile 92.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
public_knowledge_project/open_journal_systems 2.4.8 - 3.3
Published Apr 01, 2022
Tracked Since Feb 18, 2026