← back
CVE-2024-38364

DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document

CVSS 2.6 LOWEPSS 0.4%CWE-79
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 2.6EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
25 Jun 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L
Affected products
DSpace · DSpace

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0bhttps://github.com/DSpace/DSpace/pull/8891https://github.com/DSpace/DSpace/pull/9638https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf