THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-38364

DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document

AssignerGitHub_M
Reserved2024-06-14
Published2024-06-25
Updated2024-07-05

Description

DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2.



LOW: 2.6CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 7.0, < 7.6.2
affected

References

https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf

https://github.com/DSpace/DSpace/pull/8891

https://github.com/DSpace/DSpace/pull/9638

https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b

cve.org CVE-2024-38364

nvd.nist.gov CVE-2024-38364

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-38364
© Copyright 2024 THREATINT. Made in Cyprus with +