org.dataone.dspace:auto-versioning-xmlui (>=5.4.0 <=5.4.2), org.dspace.modules:xmlui (>=4.0 <=6.3) potentially affected by CVE-2022-31190 via org.dspace:dspace-xmlui (>=4.0 <=6.3)

org.dspace:dspace-xmlui MAVEN version =4.0, =5.4.0, =4.0, =6.3 Source cves: CVE-2022-31190 Source advisory: OSV:GHSA-7W85-PP86-P4PQ...

Information Disclosure

dspace-xmlui is vulnerable to information disclosure. The vulnerability exists because the generate function of DSpaceMETSGenerator.java does not properly check the read permissions for METS values, allowing an attacker to gain sensitive information through the XMLUI mets.xml object...

CVE-2022-31190

DSpace open source software is a repository application which provides durable access to digital resources. dspace-xmlui is a UI component for DSpace. In affected versions metadata on a withdrawn Item is exposed via the XMLUI "mets.xml" object, as long as you know the handle/URL of the withdrawn...

org.dspace.modules:xmlui (>=4.0 <=4.1) potentially affected by CVE-2016-10726 via org.dspace:dspace-xmlui (>=4.0 <=4.1)

org.dspace:dspace-xmlui MAVEN version =4.0, =4.0, =4.1 Source cves: CVE-2016-10726 Source advisory: OSV:GHSA-4M9R-5GQP-7J82...

High severity vulnerability that affects org.dspace:dspace-xmlui

The XMLUI feature in DSpace before 3.6, 4.x before 4.5, and 5.x before 5.5 allows directory traversal via the themes/ path in an attack with two or more arbitrary characters and a colon before a pathname, as demonstrated by a themes/Reference/aa:etc/passwd URI...

GHSA-4M9R-5GQP-7J82 High severity vulnerability that affects org.dspace:dspace-xmlui

The XMLUI feature in DSpace before 3.6, 4.x before 4.5, and 5.x before 5.5 allows directory traversal via the themes/ path in an attack with two or more arbitrary characters and a colon before a pathname, as demonstrated by a themes/Reference/aa:etc/passwd URI...

org.dataone.dspace:auto-versioning-xmlui (>=5.4.0 <=5.4.2), org.dspace.modules:xmlui (>=5.0 <=5.11) potentially affected by CVE-2016-10726 via org.dspace:dspace-xmlui (>=5.0 <=5.4)

org.dspace:dspace-xmlui MAVEN version =5.0, =5.4.0, =5.0, =5.11 Source cves: CVE-2016-10726 Source advisory: OSV:GHSA-4M9R-5GQP-7J82...