Lucene search
K
DuraspaceDspace

9 matches found

CVE
CVE
added 2022/08/01 8:35 p.m.459 views

CVE-2022-31195

CVE-2022-31195 affects DSpace open source software, specifically the ItemImportServiceImpl, which is vulnerable to a path traversal when processing SAF packages. A malicious SAF package could cause a file/directory to be created anywhere writable by the Tomcat/DSpace user, but only if the attacke...

7.2CVSS7AI score0.01118EPSS
Web
CVE
CVE
added 2022/08/01 8:25 p.m.117 views

CVE-2022-31194

The CVE-2022-31194 issue affects DSpace JSPUI in the resumable upload path, where SubmissionController and FileUploadRequest allow path traversal to write files/directories on the server, limited to users with submitter privileges (not anonymous/basic users). Root cause: manipulating submission r...

8.2CVSS7.2AI score0.00886EPSS
CVE
CVE
added 2022/08/01 8:30 p.m.115 views

CVE-2022-31192

The CVE-2022-31192 issue affects DSpace JSPUI (the Request a Copy feature) where input values submitted via the form are not properly escaped, enabling cross-site scripting (XSS) attacks in the JSPUI. The vulnerability is limited to JSPUI and does not affect XMLUI or other components. Remediation...

7.1CVSS6.1AI score0.00611EPSS
CVE
CVE
added 2022/08/01 8:25 p.m.108 views

CVE-2022-31193

DSpace JSPUI's controlled vocabulary servlet is vulnerable to an open redirect attack via crafted URLs. The issue affects the JSPUI component in DSpace, enabling redirection to attacker-controlled sites when a user clicks a malicious link. Patches exist for DSpace 5.x and 6.x (5.11 and 6.4); upgr...

7.1CVSS6.3AI score0.00579EPSS
CVE
CVE
added 2022/08/01 8:20 p.m.96 views

CVE-2022-31189

The CVE-2022-31189 issue affects the DSpace JSPUI component. When an internal system error occurs in the JSPUI, the application exposes the entire exception stack trace, which can disclose sensitive information. Affected product: DSpace JSPUI (UI for the repository app). Root cause: unsealed erro...

5.3CVSS5.1AI score0.00582EPSS
CVE
CVE
added 2022/08/01 8:10 p.m.93 views

CVE-2022-31190

CVE-2022-31190 (DSpace XMLUI) affects DSpace XMLUI by exposing metadata of withdrawn items via the mets.xml object when the handle/URL is known. The issue is limited to the XMLUI component; JSPUI and 7.x are not impacted. Impact is information disclosure of withdrawn-item metadata, not full compr...

5.3CVSS5.2AI score0.00712EPSS
CVE
CVE
added 2022/08/01 8:30 p.m.82 views

CVE-2022-31191

DSpace JSPUI is vulnerable to Cross-Site Scripting due to improper escaping of displayed text in the spellcheck and autocomplete components (data-spell attribute escaped, but not the rendered text). Affected product: DSpace JSPUI (not XMLUI/7.x). Root cause: HTML escaping gaps in the JSPUI spellc...

7.1CVSS6.2AI score0.00624EPSS
CVE
CVE
added 2021/10/29 5:25 p.m.75 views

CVE-2021-41189

CVE-2021-41189 affects DSpace 7.0; any community/collection administrator can escalate to system administrator due to a privilege elevation issue. The vulnerability is limited to 7.0 and is not present in 6.x or earlier. It is patched in 7.1. Workarounds in 7.0 include disabling community/collect...

9CVSS6.9AI score0.0199EPSS
CVE
CVE
added 2018/07/10 11:0 a.m.71 views

CVE-2016-10726

CVE-2016-10726 affects the DSpace XMLUI component. It describes a directory traversal vulnerability in the XMLUI feature present in DSpace versions: before 3.6, 4.x before 4.5, and 5.x before 5.5. The underlying issue is traversal via the themes/ path when a URI contains two or more arbitrary cha...

7.5CVSS7.5AI score0.02856EPSS