dspace-jspui is vulnerable to cross-site scripting. The vulnerability exists because the discovery.jsp
does not properly escape the data-spell attribute text and the autocomplete text before being rendered on the page, allowing an attacker to inject and execute malicious javascript.
CPE | Name | Operator | Version |
---|---|---|---|
dspace jsp-ui | le | 6.3 | |
dspace jsp-ui | le | 5.10 | |
dspace jsp-ui | le | 6.3 | |
dspace jsp-ui | le | 5.10 |
github.com/DSpace/DSpace/commit/35030a23e48b5946f5853332c797e1c4adea7bb7
github.com/DSpace/DSpace/commit/6f75bb084ab1937d094208c55cd84340040bcbb5
github.com/DSpace/DSpace/commit/c89e493e517b424dea6175caba54e91d3847fc3a
github.com/DSpace/DSpace/commit/ebb83a75234d3de9be129464013e998dc929b68d
github.com/DSpace/DSpace/security/advisories/GHSA-c558-5gfm-p2r8