Open Journal System | Misconfiguration allows Guest Editor to read declined article submissions

In OJS 3.4, “Articles Report" plugin is installed by default, this plugin allows a logged in user with “Guest Editor” role to export articles report. But this plugin/feature is not visually visible to “Guest Editor", but Guest Editor can access it anyway due to improper access controls.

When an article is submitted, it awaits approval by a site moderator/admin, regardless of whether the report is accepted or declined, “Articles Report” will keep track of them.

This doesn't only expose the article but also it exposes the email address of the author that submitted it.

Reproduce

To reproduce, create an account with role of “Reader”.

Login into the account and submit an article through [index.php/dks/submission] endpoint.

Now login into another account with the role of “Guest Editor” and navigate to [/index.php/dks/stats/publications/publications], this is where you can download a report of articles. However, if you try downloading reports, all reports will be empty or at least they won't contain info on declined reports.

To download reports, open the following link:

http://localhost:8000/index.php/dks/stats/reports/report?pluginName=ArticleReportPlugin

I found this link by logging into a “Journal Manager” account. Go to Website > Plugins > Find “Report Plugins” > Click on blue triangle > Click on “Report”

Once you click, a CSV file will be downloaded.

Copy the link of that CSV file and you will get something like this:

http://localhost:8000/index.php/dks/stats/reports/report?pluginName=ArticleReportPlugin

You can later open this link as a “Guest Editor” user.