Skip to content

Incorrect trusting of user input in publication module

Low
driusan published GHSA-6prw-34x8-3gpg Apr 8, 2026

Package

publication

Affected versions

LORIS >= 20.0.0 && <=27.0.2, 28.0.0

Patched versions

27.0.3+, 28.0.1+

Description

Impact

An endpoint in the publication module was incorrectly trusting the baseURL submitted by a user's POST request rather than the internal LORIS value.

This could result in a theoretical attacker with publication module access forging an email to an external domain under the attacker's control which appeared to come from LORIS.

Patches

diff --git a/modules/publication/ajax/FileUpload.php b/modules/publication/ajax/FileUpload.php
index 0a7448e145..c5f4426244 100644
--- a/modules/publication/ajax/FileUpload.php
+++ b/modules/publication/ajax/FileUpload.php
@@ -140,7 +140,7 @@ function uploadPublication() : void
         showPublicationError($e->getMessage(), 500);
     }
 
-    notify($pubID, 'submission', $_POST['baseURL']);
+    notify($pubID, 'submission');
 }
 
 /**
@@ -428,13 +428,12 @@ function cleanup(int $pubID) : void
 /**
  * Send out email notifications for project submission
  *
- * @param int    $pubID   publication ID
- * @param string $type    The notification type i.e., submission|edit|review
- * @param string $baseURL the base URL of the loris site
+ * @param int    $pubID publication ID
+ * @param string $type  The notification type i.e., submission|edit|review
  *
  * @return void
  */
-function notify($pubID, $type, $baseURL) : void
+function notify($pubID, $type) : void
 {
     $acceptedTypes = [
         'submission',
@@ -471,14 +470,12 @@ function notify($pubID, $type, $baseURL) : void
     $emailData['Title']       = $data['Title'];
     $emailData['Date']        = $data['DateProposed'];
     $emailData['User']        = $user->getFullname();
-    $emailData['URL']         = $baseURL . '/publication/view_project/?id='.$pubID;
     $emailData['ProjectName'] = $config->getSetting('prefix');
     $Notifier = new \NDB_Notifier(
         "publication",
         $type
     );
     $msg_data = [
-        'URL'         => $emailData['URL'],
         'Title'       => $emailData['Title'],
         'User'        => $emailData['User'],
         'ProjectName' => $emailData['ProjectName'],
@@ -650,10 +647,10 @@ function editProject() : void
     processFiles($id);
     // if publication status is changed, send review email
     if (isset($toUpdate['PublicationStatusID'])) {
-        notify($id, 'review', $_POST['baseURL']);
+        notify($id, 'review');
     } else {
         // otherwise send edit email
-        notify($id, 'edit', $_POST['baseURL']);
+        notify($id, 'edit');
     }
     if (!empty($toUpdate)) {
         $db->update(
diff --git a/smarty/templates/email/notifier_publication_edit.tpl b/smarty/templates/email/notifier_publication_edit.tpl
index f8caa2db72..d27059b45c 100644
--- a/smarty/templates/email/notifier_publication_edit.tpl
+++ b/smarty/templates/email/notifier_publication_edit.tpl
@@ -3,7 +3,7 @@ Subject: [LORIS] A project proposal has been edited
 Hello,
 
 The project proposal "{$Title}" has been edited by {$User}.
-You can view the changes by clicking the following link {$URL}.
+You can view the changes in the loris website.
 
 Thank you,
 The {$ProjectName} Team
diff --git a/smarty/templates/email/notifier_publication_review.tpl b/smarty/templates/email/notifier_publication_review.tpl
index fa80bf6c69..c2677b54b9 100644
--- a/smarty/templates/email/notifier_publication_review.tpl
+++ b/smarty/templates/email/notifier_publication_review.tpl
@@ -3,7 +3,7 @@ Subject: [LORIS] A project proposal has been reviewed
 Hello,
 
 The project proposal "{$Title}" has been reviewed.
-You can view the details by clicking the following link {$URL}.
+You can view the details in the loris website.
 
 Thank you,
 The {$ProjectName} Team
diff --git a/smarty/templates/email/notifier_publication_submission.tpl b/smarty/templates/email/notifier_publication_submission.tpl
index c5a304fbcd..976d5abb8e 100644
--- a/smarty/templates/email/notifier_publication_submission.tpl
+++ b/smarty/templates/email/notifier_publication_submission.tpl
@@ -4,7 +4,7 @@ Hello,
 
 This is to confirm the project proposal "{$Title}" received on {$Date}.
 We will notify you once this proposal has been reviewed. In the mean time, you
-can view the project proposal through the following link: {$URL}.
+can view the project proposal in the loris website.
 
 Thank you,
 The {$ProjectName} Team

Workarounds

A project not using the publication module can disable the publication module in LORIS.

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CVE ID

CVE-2026-35400

Weaknesses

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. Learn more on MITRE.

Credits