QwikSec

Security Database

CVE

CWE

Training

CVE-2022-31191

Published: Aug 1, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to XSS. This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds for this issue.

Vendor	Product	Versions
DSpace	DSpace	affected `>= 6.0, < 6.4` affected `>= 4.0, < 5.11`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://github.com/DSpace/DSpace/security/advisories/GHSA-c558-5gfm-p2r8

x_refsource_CONFIRM

https://github.com/DSpace/DSpace/commit/35030a23e48b5946f5853332c797e1c4adea7bb7

x_refsource_MISC

https://github.com/DSpace/DSpace/commit/6f75bb084ab1937d094208c55cd84340040bcbb5

x_refsource_MISC

https://github.com/DSpace/DSpace/commit/c89e493e517b424dea6175caba54e91d3847fc3a

x_refsource_MISC

https://github.com/DSpace/DSpace/commit/ebb83a75234d3de9be129464013e998dc929b68d

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.