Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) org.dspace:dspace is a digital asset management system that powers Institutional Repositories Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when loading Bitstream documents including HTML, XML or JavaScript, which may be inlined and executed in the browser rather than downloaded as-is. A user with Submitter privilege can cause JavaScript to be executed in another user's browser session by convincing another authenticated user to download a malicious file. Note: Existing DSpace CORS and CSRF protections limit the impact of this vulnerability. How to fix Cross-site Scripting (XSS)? Upgrade `org.dspace:dspace` to version 7.6.2 or higher.	[7.0,7.6.2)

Cross-site Scripting (XSS)

org.dspace:dspace is a digital asset management system that powers Institutional Repositories

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when loading Bitstream documents including HTML, XML or JavaScript, which may be inlined and executed in the browser rather than downloaded as-is. A user with Submitter privilege can cause JavaScript to be executed in another user's browser session by convincing another authenticated user to download a malicious file.

Note:

Existing DSpace CORS and CSRF protections limit the impact of this vulnerability.

How to fix Cross-site Scripting (XSS)?

Upgrade org.dspace:dspace to version 7.6.2 or higher.

[7.0,7.6.2)

Go back to all versions of this package