FKIE_CVE-2024-38364

Vulnerability from fkie_nvd - Published: 2024-06-26 00:15 - Updated: 2024-11-21 09:25
Severity ?
2.6 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L
Summary
DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2.
References
security-advisories@github.comhttps://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b
security-advisories@github.comhttps://github.com/DSpace/DSpace/pull/8891
security-advisories@github.comhttps://github.com/DSpace/DSpace/pull/9638
security-advisories@github.comhttps://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf
af854a3a-2127-422b-91ae-364da2661108https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b
af854a3a-2127-422b-91ae-364da2661108https://github.com/DSpace/DSpace/pull/8891
af854a3a-2127-422b-91ae-364da2661108https://github.com/DSpace/DSpace/pull/9638
af854a3a-2127-422b-91ae-364da2661108https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user\u0027s browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2."
    },
    {
      "lang": "es",
      "value": "DSpace es un software de c\u00f3digo abierto, una aplicaci\u00f3n de repositorio llave en mano utilizada por m\u00e1s de 2000 organizaciones e instituciones en todo el mundo para brindar acceso duradero a recursos digitales. En DSpace 7.0 a 7.6.1, cuando se descarga un Bitstream HTML, XML o JavaScript, el navegador del usuario puede ejecutar cualquier JavaScript incrustado. Si ese JavaScript incrustado es malicioso, existe el riesgo de sufrir un ataque XSS. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 7.6.2."
    }
  ],
  "id": "CVE-2024-38364",
  "lastModified": "2024-11-21T09:25:27.740",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 2.6,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-06-26T00:15:10.480",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/pull/8891"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/pull/9638"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/DSpace/DSpace/pull/8891"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/DSpace/DSpace/pull/9638"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.