CVE-2022-31192

2022-08-0121:15:13

CWE-79

[email protected]

web.nvd.nist.gov

dspace

open source software

repository application

digital resources

dspace-jspui

xss attacks

vulnerability

upgrade

nvd

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

31.0%

JSON

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI “Request a Copy” feature does not properly escape values submitted and stored from the “Request a Copy” form. This means that item requests could be vulnerable to XSS attacks. This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

NVD

Node

dspacedspaceRange6.0–6.4

dspacedspaceRange4.0–5.11

CPENameOperatorVersion
duraspace:dspaceduraspace dspacele5.10
duraspace:dspaceduraspace dspacelt6.4

CPE	Name	Operator	Version
duraspace:dspace	duraspace dspace	le	5.10
duraspace:dspace	duraspace dspace	lt	6.4

CNA Affected

[
  {
    "product": "DSpace",
    "vendor": "DSpace",
    "versions": [
      {
        "status": "affected",
        "version": ">= 6.0, < 6.4"
      },
      {
        "status": "affected",
        "version": ">= 4.0, < 5.11"
      }
    ]
  }
]