PKP-WAL 3.5.0-1 Cross Site Request Forgery

PKP-WAL 3.5.0-1 is vulnerable to Cross-Site Request Forgery (CSRF). This PKP-WAL 3.5.0-1 is vulnerable to Cross-Site Request Forgery (CSRF). This flaw allows an attacker to trick a logged-in user, typically an administrator, into performing unintended actions on the application.

The vulnerability stems from the lack of proper anti-CSRF tokens or other protection mechanisms for sensitive operations. An attacker could craft a malicious webpage or email containing a hidden request. If a legitimate, authenticated user visits this malicious content, their browser would automatically send the forged request to the PKP-WAL server.

This would execute actions like creating/deleting users, modifying system settings, or other administrative functions without the user's knowledge or consent. Successful exploitation could lead to unauthorized access or data manipulation. Users are advised to update to a patched version to mitigate this risk.

-----------------------------------------------------------------
PKP-WAL <= 3.5.0-1 Login Cross-Site Request Forgery Vulnerability
-----------------------------------------------------------------


[-] Software Links:

https://pkp.sfu.ca
https://github.com/pkp/pkp-lib


[-] Affected Versions:

Version 3.3.0-21 and prior versions.
Version 3.4.0-9 and prior versions.
Version 3.5.0-1 and prior versions.


[-] Vulnerability Description:

Open Journal Systems (OJS), Open Monograph Press (OMP), and Open
Preprint Systems (OPS) allow users to perform a login without
providing the ?csrfToken? parameter, which is included on the
client-side, but it?s not validated on the server-side. As such, all
these applications are vulnerable to potential ?Login Cross-Site
Request Forgery? attacks.


[-] Solution:

Upgrade to versions 3.3.0-22, 3.4.0-10, 3.5.0-2, or later.


[-] Disclosure Timeline:

[21/10/2025] - Vendor notified

[24/10/2025] - Vendor fixed the issue and opened a public GitHub
issue: https://github.com/pkp/pkp-lib/issues/11978

[12/11/2025] - CVE identifier requested

[20/11/2025] - Version 3.3.0-22 released

[22/11/2025] - Version 3.4.0-10 released

[12/12/2025] - CVE identifier assigned

[29/11/2025] - Version 3.5.0-2 released

[23/12/2025] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures program (cve.org) has
assigned the name CVE-2025-67892 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2025-14