7.1

CVE-2022-31193

URL Redirection to Untrusted Site in Dspace JSPUI

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. This issue has been patched in versions 5.11 and 6.4. Users are advised to upgrade. There are no known workaround for this vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DuraspaceDspace Version >= 4.0 <= 5.10
DuraspaceDspace Version > 6.0 < 6.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.56% 0.42
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 7.1 2.8 3.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

https://github.com/DSpace/DSpace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9
Patch
Third Party Advisory
https://github.com/DSpace/DSpace/commit/5f72424a478f59061dcc516b866dcc687bc3f9de
Patch
Third Party Advisory
https://github.com/DSpace/DSpace/security/advisories/GHSA-763j-q7wv-vf3m
Patch
Third Party Advisory