Description
JSON is limited to simple constructs like arrays, strings, and numbers. serialize/unserialize can be used to describe more complex objects, which may not be trustworthy.
Use json_encode/json_decode instead of serialize/unserialize in the report generator. Review elsewhere for similar usage.
This is a potential security issue -- PHP unserialize can be used for code injections. Abuse of this issue requires Journal Manager access; social engineering is possible, if a logged-in Journal Manager can be tricked into visiting a specially-crafted (albeit long) URL.
This is corrected in OJS/OMP 3.1.2-2 or newer. See #5302 (comment) for patching instructions for older versions.
Affects OJS 3.x and OMP installations 3.1.2-1 and older.
Thanks to Franek Kalinowski, Isec.pl Research Team for discovering and reporting the issue! This has been assigned CVE ID CVE-2019-19909.