CVE-2022-31191

EPSS 0.44%
Veröffentlicht 01.08.2022 21:15:13
Zuletzt bearbeitet 21.11.2024 07:04:05
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to XSS. This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Duraspace ≫ Dspace Version > 4.0 <= 5.10

Duraspace ≫ Dspace Version > 6.0 < 6.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.44%	0.628

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	7.1	2.8	3.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/DSpace/DSpace/commit/35030a23e48b5946f5853332c797e1c4adea7bb7

Patch

Third Party Advisory

https://github.com/DSpace/DSpace/commit/6f75bb084ab1937d094208c55cd84340040bcbb5

Patch

Third Party Advisory

https://github.com/DSpace/DSpace/commit/c89e493e517b424dea6175caba54e91d3847fc3a

Patch

Third Party Advisory

https://github.com/DSpace/DSpace/commit/ebb83a75234d3de9be129464013e998dc929b68d

Patch

Third Party Advisory