{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38364", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-14T14:16:16.465Z", "datePublished": "2024-06-25T23:45:57.493Z", "dateUpdated": "2024-08-02T04:04:25.278Z"}, "containers": {"cna": {"title": "DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"}, {"name": "https://github.com/DSpace/DSpace/pull/8891", "tags": ["x_refsource_MISC"], "url": "https://github.com/DSpace/DSpace/pull/8891"}, {"name": "https://github.com/DSpace/DSpace/pull/9638", "tags": ["x_refsource_MISC"], "url": "https://github.com/DSpace/DSpace/pull/9638"}, {"name": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b", "tags": ["x_refsource_MISC"], "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"}], "affected": [{"vendor": "DSpace", "product": "DSpace", "versions": [{"version": ">= 7.0, < 7.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-25T23:45:57.493Z"}, "descriptions": [{"lang": "en", "value": "DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2."}], "source": {"advisory": "GHSA-94cc-xjxr-pwvf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-28T17:36:26.353986Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:22:48.955Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:04:25.278Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"}, {"name": "https://github.com/DSpace/DSpace/pull/8891", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DSpace/DSpace/pull/8891"}, {"name": "https://github.com/DSpace/DSpace/pull/9638", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DSpace/DSpace/pull/9638"}, {"name": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-28T17:36:26.353986Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:43.991Z"}}], "cna": {"title": "DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document", "source": {"advisory": "GHSA-94cc-xjxr-pwvf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "DSpace", "product": "DSpace", "versions": [{"status": "affected", "version": ">= 7.0, < 7.6.2"}]}], "references": [{"url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf", "name": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/DSpace/DSpace/pull/8891", "name": "https://github.com/DSpace/DSpace/pull/8891", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/DSpace/DSpace/pull/9638", "name": "https://github.com/DSpace/DSpace/pull/9638", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b", "name": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-25T23:45:57.493Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38364", "state": "PUBLISHED", "dateUpdated": "2024-07-05T17:22:48.955Z", "dateReserved": "2024-06-14T14:16:16.465Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-25T23:45:57.493Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2."}, {"lang": "es", "value": "DSpace es un software de c\u00f3digo abierto, una aplicaci\u00f3n de repositorio llave en mano utilizada por m\u00e1s de 2000 organizaciones e instituciones en todo el mundo para brindar acceso duradero a recursos digitales. En DSpace 7.0 a 7.6.1, cuando se descarga un Bitstream HTML, XML o JavaScript, el navegador del usuario puede ejecutar cualquier JavaScript incrustado. Si ese JavaScript incrustado es malicioso, existe el riesgo de sufrir un ataque XSS. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 7.6.2."}], "id": "CVE-2024-38364", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-26T00:15:10.480", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"}, {"source": "security-advisories@github.com", "url": "https://github.com/DSpace/DSpace/pull/8891"}, {"source": "security-advisories@github.com", "url": "https://github.com/DSpace/DSpace/pull/9638"}, {"source": "security-advisories@github.com", "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DSpace/DSpace/pull/8891"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DSpace/DSpace/pull/9638"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}