PKP-WAL 3.4.0-3 Remote Code Execution

---------------------------------------------------------------------------------PKP-WAL <= 3.4.0-3 (NativeImportExportPlugin) Remote Code ExecutionVulnerability---------------------------------------------------------------------------------[-] Software Links:https://pkp.sfu.cahttps://github.com/pkp/pkp-lib[-] Affected Versions:PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-3and prior versions, as used in Open Journal Systems (OJS), OpenMonograph Press (OMP), and Open Preprint Systems (OPS) before versions3.4.0-4 or 3.3.0-16.[-] Vulnerabilities Description:The vulnerability is located in the/plugins/importexport/native/filter/PKPNativeFilterHelper.php script.Specifically, into the"PKPNativeFilterHelper::parsePublicationCover()" method:100.     public function parsePublicationCover($filter, $node, $object)101.     {102.         $deployment = $filter->getDeployment();103.104.         $context = $deployment->getContext();105.106.         $locale = $node->getAttribute('locale');107.         if (empty($locale)) {108.             $locale = $context->getPrimaryLocale();109.         }110.111.         $coverImagelocale = [];112.         $coverImage = [];113.114.         for ($n = $node->firstChild; $n !== null; $n = $n->nextSibling) {115.             if ($n instanceof DOMElement) {116.                 switch ($n->tagName) {117.                     case 'cover_image':118.                         $coverImage['uploadName'] = $n->textContent;119.                         break;120.                     case 'cover_image_alt_text':121.                         $coverImage['altText'] = $n->textContent;122.                         break;123.                     case 'embed':124.                         $publicFileManager = new PublicFileManager();125.                         $filePath =$publicFileManager->getContextFilesPath($context->getId()) . '/' .$coverImage['uploadName'];126.                         file_put_contents($filePath,base64_decode($n->textContent));127.                         break;User input passed through the cover image tags of the import XML fileis not properly sanitized before being used at line 118 to construct avariable, which is later used as the final part of the filepath usedin a call to the file_put_contents() PHP function at line 126. Thiscan be exploited to write/overwrite arbitrary files on the web servervia Path Traversal sequences, leading to execution of arbitrary PHPcode.Successful exploitation of this vulnerability requires an account withpermissions to access the "Import/Export" plugin, such as a JournalEditor or Production Editor user.[-] Solution:Upgrade to version 3.4.0-4 or later.[-] Disclosure Timeline:[14/10/2023] - Vendor notified[26/10/2023] - Vendor fixed the issue and opened a public GitHubissue: https://github.com/pkp/pkp-lib/issues/9464[05/11/2023] - CVE identifier assigned[17/11/2023] - Version 3.4.0-4 released[14/12/2023] - Publication of this advisory[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-47271 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2023-14