org.dspace:dspace-jspui@4.6 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.dspace:dspace-jspui package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Generation of Error Message Containing Sensitive Information

org.dspace:dspace-jspui is a DSpace JSP Based Webapplication

Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information via an Internal System Error in the JSPUI, leading to the entire exception (including the stack trace) being available.

Note: This vulnerability does not impact the XMLUI or version 7.

How to fix Generation of Error Message Containing Sensitive Information?

Upgrade org.dspace:dspace-jspui to version 6.4 or higher.

[4.0,6.4)
  • H
Directory Traversal

org.dspace:dspace-jspui is a DSpace JSP Based Webapplication

Affected versions of this package are vulnerable to Directory Traversal via the resumable upload implementations in the SubmissionController and FileUploadRequest components, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user. Exploiting this vulnerability is possible by modifying some request parameters during submission, by a user with submitter rights.

Note: This vulnerability cannot be exploited by an anonymous user or a basic user. The user must first have submitter privileges to at least one Collection and be able to determine how to modify the request parameters to exploit the vulnerability. This vulnerability does not impact the XMLUI or version 7.

How to fix Directory Traversal?

Upgrade org.dspace:dspace-jspui to version 5.11, 6.4 or higher.

[4.0,5.11) [6.0,6.4)
  • H
Cross-site Scripting (XSS)

org.dspace:dspace-jspui is a DSpace JSP Based Webapplication

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the spellcheck "Did you mean" component, due to missing escaping of the displayed text, and the autocomplete component, due to missing escaping of the text passed to it.

Note: This vulnerability does not impact the XMLUI or version 7.

How to fix Cross-site Scripting (XSS)?

Upgrade org.dspace:dspace-jspui to version 5.11, 6.4 or higher.

[4.0,5.11) [6.0,6.4)
  • H
Open Redirect

org.dspace:dspace-jspui is a DSpace JSP Based Webapplication

Affected versions of this package are vulnerable to Open Redirect via the controlled vocabulary servlet component. Exploiting this vulnerability is possible by crafting a malicious URL that looks like a legitimate DSpace/repository URL, which redirects the target to a site of the attacker's choice when they click it.

Note: This vulnerability does not impact the XMLUI or versions 7.

How to fix Open Redirect?

Upgrade org.dspace:dspace-jspui to version 5.11, 6.4 or higher.

[4.0,5.11) [6.0,6.4)