2.6 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L
3.2 Low
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user’s browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack.
This attack may only be initialized by a user who already has Submitter privileges in the repository. The submitter must upload the malicious HTML/XML/JavaScript file themselves. The attack itself would not occur until a visitor or logged-in user downloads the file or clicks on a download link shared by the attacker.
If your site is running the frontend and backend from separate domains, CORS and CSRF protection built into DSpace help to limit the impact of the attack.
If the repository is configured to only download HTML / XML / JavaScript Bitstreams using the Content-Disposition: attachment
header, then the attack is no longer possible. See “Workarounds” below.
The fix is included in both 8.0 and 7.6.2. Please upgrade to one of these versions, or manually apply one of the “Workarounds” below.
If you are already running 7.6 or 7.6.1, then this vulnerability can be fixed via a configuration update in your dspace.cfg
configuration file. See details in below.
DSpace sites running 7.6 or 7.6.1 can fix this issue by adding the following webui.content_disposition_format
settings to their dspace.cfg
(or local.cfg
). These settings force all HTML, XML, RDF & JavaScript files to always be downloaded to a user’s machine, blocking the attack. For more details see PR #9638
webui.content_disposition_format = text/html
webui.content_disposition_format = text/javascript
webui.content_disposition_format = text/xml
webui.content_disposition_format = rdf
These settings will take effect immediately. There is no need to restart Tomcat.
To verify the settings are working: upload an HTML or XML file to an in-progress submission. Attempt to download the file. The file should not open in your browser window. Instead, it should download to your local computer.
DSpace sites running 7.0 through 7.5 will need toeither (CHOOSE ONE):
webui.content_disposition_format
setting (which was first released in 7.6), and then apply the configuration changes mentioned above.
webui.content_disposition_format
setting can be added by applying the changes in PR #8891. A patch
file is also available.Content-Disposition: attachment
header to be sent for all files downloaded via /server/api/core/bitstreams/[uuid]/content
in the REST API.
<VirtualHost>
:# Set "Content-Disposition: attachment" whenever path is /server/api/core/bitstreams/[uuid]/content
Header set Content-Disposition attachment "expr=%{REQUEST_URI} =~ m#^/server/api/core/bitstreams/.*/content$#"
Discovered and reported by Muhammad Zeeshan (Xib3rR4dAr)
If you have any questions or comments about this advisory:
2.6 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L
3.2 Low
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%