Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-31191
Summary
DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI spellcheck version 4.x, 5.x prior to 5.11 and 6.x prior to 6.4 are vulnerable to XSS as HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete version 4.x, 5.x prior to 5.11 and 6.x prior to 6.4 are vulnerable to XSS as HTML does not properly escape text passed to it. This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds for this issue.
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- NONE
- LOW
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
References
Advisory Timeline
- Published