CVE-2024-38364: DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document
In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user’s browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack.
This attack may only be initialized by a user who already has Submitter privileges in the repository. The submitter must upload the malicious HTML/XML/JavaScript file themselves. The attack itself would not occur until a different authenticated user downloads the malicious file. CORS and CSRF protection built into DSpace help to limit the impact of the attack (and may block it in some scenarios).
If the repository is configured to only download HTML / XML / JavaScript Bitstreams using the Content-Disposition: attachment header, then the attack is no longer possible. See “Workarounds” below.
References
- github.com/DSpace/DSpace
- github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b
- github.com/DSpace/DSpace/pull/8891
- github.com/DSpace/DSpace/pull/9638
- github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf
- github.com/advisories/GHSA-94cc-xjxr-pwvf
- nvd.nist.gov/vuln/detail/CVE-2024-38364
Detect and mitigate CVE-2024-38364 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →