Skip to main content

URL Redirection to Untrusted Site ('Open Redirect')

CVE-2022-31193

Severity Medium
Score 6.1/10

Summary

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet versions 4.0-rc1 through 5.10 and 6.0-rc1 through 6.3 are vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. Users are advised to upgrade. There are no known workaround for this vulnerability.

  • LOW
  • NETWORK
  • LOW
  • CHANGED
  • REQUIRED
  • NONE
  • LOW
  • NONE

CWE-601 - Open Redirect

An open redirect attack employs a URL parameter, HTML refresh tags, or a DOM based location change to exploit the trust of a vulnerable domain to direct the users to a malicious website. The attack could lead to higher severity vulnerabilities such as unauthorized access control, account takeover, XSS, and more.

Advisory Timeline

  • Published