167 matches found
CVE-2024-38364 DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document
DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execu...
CVE-2024-38364 DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document
DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execu...
CVE-2024-38364 DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document
DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execu...
DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document
Impact In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This attack may only be initialized by a user who already has Submitter...
dspace.arpa.puglia.it Cross Site Scripting vulnerability OBB-3389112
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
GHSA-8RMH-55H4-93H5 DSpace ItemImportService API Vulnerable to Path Traversal in Simple Archive Format Package Import
Impact ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF simple archive format package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. However, this path traversal vulnerability is only possible...
org.dspace.modules:additions (>=4.0 <=5.10), org.dspace.modules:jspui (>=4.0 <=5.10) +18 more potentially affected by CVE-2022-31195 via org.dspace:dspace-api (>=4.0 <=5.10)
org.dspace:dspace-api MAVEN version =4.0, =4.0, =4.0, =4.0, =5.0, =5.0, =4.0, =4.0, =4.0, =4.0, =4.0, =4.0, =4.0, =4.0, =4.0, =5.0, =5.10 and more Source cves: CVE-2022-31195 Source advisory: OSV:GHSA-8RMH-55H4-93H5...
de.the-library-code.dspace:addon-duplication-detection-service-api (>=6.2.0 <=6.3.1), de.the-library-code.dspace:addon-duplication-detection-service-jspui (>=6.2.0 <=6.3.1) +18 more potentially affected by CVE-2022-31195 via org.dspace:dspace-api (>=6.0 <=6.3)
org.dspace:dspace-api MAVEN version =6.0, =6.2.0, =6.2.0, =6.0, =6.0, =6.0, =6.0, =6.0, =6.0, =6.0, =6.0, =6.0, =6.0, =6.0, =6.3 and more Source cves: CVE-2022-31195 Source advisory: OSV:GHSA-8RMH-55H4-93H5...
DSpace ItemImportService API Vulnerable to Path Traversal in Simple Archive Format Package Import
Impact ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF simple archive format package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. However, this path traversal vulnerability is only possible...
org.dspace.modules:jspui (>=4.0 <=5.10) potentially affected by CVE-2022-31194 via org.dspace:dspace-jspui (>=4.0 <=5.10)
org.dspace:dspace-jspui MAVEN version =4.0, =4.0, =5.10 Source cves: CVE-2022-31194 Source advisory: OSV:GHSA-QP5M-C3M9-8Q2P...
de.the-library-code.dspace:addon-duplication-detection-service-jspui (>=6.2.0 <=6.3.1), de.the-library-code.dspace:addon-identifiers-enduring-submission-jspui (=6.3.0) +1 more potentially affected by CVE-2022-31194 via org.dspace:dspace-jspui (>=6.0 <=6.3)
org.dspace:dspace-jspui MAVEN version =6.0, =6.2.0, =6.0, =6.3 Source cves: CVE-2022-31194 Source advisory: OSV:GHSA-QP5M-C3M9-8Q2P...
JSPUI vulnerable to path traversal in submission (resumable) upload
Impact The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, by modifying some request parameters durin...
GHSA-763J-Q7WV-VF3M JSPUI's controlled vocabulary feature vulnerable to Open Redirect before v6.4 and v5.11
Impact The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. This vulnerability...
org.dspace.modules:jspui (>=4.0 <=5.10) potentially affected by CVE-2022-31193 via org.dspace:dspace-jspui (>=4.0 <=5.10)
org.dspace:dspace-jspui MAVEN version =4.0, =4.0, =5.10 Source cves: CVE-2022-31193 Source advisory: OSV:GHSA-763J-Q7WV-VF3M...
de.the-library-code.dspace:addon-duplication-detection-service-jspui (>=6.2.0 <=6.3.1), de.the-library-code.dspace:addon-identifiers-enduring-submission-jspui (=6.3.0) +1 more potentially affected by CVE-2022-31193 via org.dspace:dspace-jspui (>=6.0 <=6.3)
org.dspace:dspace-jspui MAVEN version =6.0, =6.2.0, =6.0, =6.3 Source cves: CVE-2022-31193 Source advisory: OSV:GHSA-763J-Q7WV-VF3M...
JSPUI's controlled vocabulary feature vulnerable to Open Redirect before v6.4 and v5.11
Impact The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. This vulnerability...
de.the-library-code.dspace:addon-duplication-detection-service-jspui (>=6.2.0 <=6.3.1), de.the-library-code.dspace:addon-identifiers-enduring-submission-jspui (=6.3.0) +1 more potentially affected by CVE-2022-31192 via org.dspace:dspace-jspui (>=6.0 <=6.3)
org.dspace:dspace-jspui MAVEN version =6.0, =6.2.0, =6.0, =6.3 Source cves: CVE-2022-31192 Source advisory: OSV:GHSA-4WM8-C2VV-XRPQ...
org.dspace.modules:jspui (>=5.0 <=5.10) potentially affected by CVE-2022-31192 via org.dspace:dspace-jspui (>=5.0 <=5.10)
org.dspace:dspace-jspui MAVEN version =5.0, =5.0, =5.10 Source cves: CVE-2022-31192 Source advisory: OSV:GHSA-4WM8-C2VV-XRPQ...
GHSA-4WM8-C2VV-XRPQ JSPUI Possible Cross Site Scripting in "Request a Copy" Feature
Impact The JSPUI "Request a Copy" feature does not properly escape values submitted and stored from the "Request a Copy" form. This means that item requests could be vulnerable to XSS attacks. This vulnerability only impacts the JSPUI. This vulnerability does NOT impact the XMLUI or 7.x. Patches...
JSPUI Possible Cross Site Scripting in "Request a Copy" Feature
Impact The JSPUI "Request a Copy" feature does not properly escape values submitted and stored from the "Request a Copy" form. This means that item requests could be vulnerable to XSS attacks. This vulnerability only impacts the JSPUI. This vulnerability does NOT impact the XMLUI or 7.x. Patches...