CVE-2024-38364

26.06.2024, 00:15

DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	2.6 LOW	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L
GitHub_M	CNA	2.6 LOW	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 35%

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b

https://github.com/DSpace/DSpace/pull/8891

https://github.com/DSpace/DSpace/pull/9638

https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf

https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b

https://github.com/DSpace/DSpace/pull/8891

https://github.com/DSpace/DSpace/pull/9638

https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf