CVE-2024-38364
2.6
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L
Summary
DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| DSpace | DSpace | >= 7.0, < 7.6.2 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf
- https://github.com/DSpace/DSpace/pull/8891
- https://github.com/DSpace/DSpace/pull/9638
- https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b
References
- https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf
- https://github.com/DSpace/DSpace/pull/8891
- https://github.com/DSpace/DSpace/pull/9638
- https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.