{"id":"CVE-2023-47271","details":"PKP-WAL (aka PKP Web Application Library or pkp-lib) before 3.3.0-16, as used in Open Journal Systems (OJS) and other products, does not verify that the file named in an XML document (used for the native import/export plugin) is an image file, before trying to use it for an issue cover image.","modified":"2026-04-10T05:04:56.778155Z","published":"2023-11-06T00:15:09.317Z","references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/176255/PKP-WAL-3.4.0-3-Remote-Code-Execution.html"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2023/Dec/23"},{"type":"FIX","url":"https://github.com/pkp/pkp-lib/issues/9464"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pkp/pkp-lib","events":[{"introduced":"0"},{"fixed":"07254d23dd48f2399972328bd149c8ebf578c47d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.3.0-16"}]}}],"versions":["3_2_0-0","3_2_0-1","3_2_1rc1","3_3_0-0","3_3_0-1","3_3_0-10","3_3_0-11","3_3_0-12","3_3_0-13","3_3_0-14","3_3_0-15","3_3_0-2","3_3_0-3","3_3_0-4","3_3_0-5","3_3_0-6","3_3_0-7","3_3_0-8","3_3_0-9","harvester-2_3_0-0","harvester-2_3_0b1","ohs-2_3_1-0","ojs-2_3_0-0rc1","ojs-2_3_3-0","ojs-2_3_3-1","ojs-2_4_0-0","ojs-3_0_1-0","ojs-3_0_2-0","ojs-3_0a1","ojs-3_0b1","ojs-3_1_1-0","omp-0_9_9-0","omp-1_2_0-0","omp-3_1_0-0","omp-3_1_1-0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-47271.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}