DSpace is vulnerable to XML External Entity injection during archive imports
Two related XXE injection possibilities have been discovered, impacting all versions of DSpace prior to 7.6.4, 8.2 and 9.1. External entities are not disabled when parsing XML files during import of an archive (in Simple Archive Format), either from command-line (./dspace import command) or from the "Batch Import (Zip)" user interface feature. (Likely impacts all versions of DSpace 1.x <= 7.6.3, 8.0 <= 8.1, and 9.0) External entities are also …