XML External Entity (XXE) Injection

org.dspace, dspace-api is vulnerable to XML External Entity XXE injection. The vulnerability is due to improper handling of XML input during archive import and interaction with external services, which allows an attacker to craft malicious XML payloads that may lead to sensitive file disclosure o...

High severity vulnerability that affects org.dspace:dspace-xmlui

The XMLUI feature in DSpace before 3.6, 4.x before 4.5, and 5.x before 5.5 allows directory traversal via the themes/ path in an attack with two or more arbitrary characters and a colon before a pathname, as demonstrated by a themes/Reference/aa:etc/passwd URI...