Message from Public Knowledge Project Team (07.10.2022)
Dear users of PKP software (OJS, OMP, and OPS),
There are two recently-discovered security issues that you should be aware of:
#8307: Any author can edit/delete arbitrary author records on published content
This issue affects OJS, OMP, and OPS versions between 3.2.0-0 and 3.3.0-12 (inclusive). It allows anyone with an author account to edit and delete author records on published content. It is fixed in OJS/OMP/OPS 3.3.0-13 and newer. If you are not able to upgrade, there are instructions for patching at the link above.
#8299: Some roles can edit/delete galleys on submissions they should not be able
This issue affects OJS, OMP, and OPS versions between 3.3.0-0 and 3.3.0-12 (inclusive). It allows privileged OJS and OMP users to edit galleys when they should not, but the potential for abuse is limited because these are already privileged accounts. It is more problematic for OPS, where author accounts can be abused to modify galleys unexpectedly. The bug is fixed in OJS/OMP/OPS 3.3.0-13 and newer. If you are not able to upgrade, there are instructions for patching at the link above.
We are not aware of abuse of either of these issues. #8307 was discovered by an external reporter, and #8299 was discovered by a PKP developer. We encourage you to upgrade or patch for these issues as soon as possible.
We will leave approx. 2 weeks to allow the community to upgrade or patch, and then publish more detailed information on the above links and the software download pages.
Public Knowledge Project Team
This message was sent by the Public Knowledge Project.