CVE-2024-38364 - Vulnerability Details - OpenCVE

DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00112.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b
https://github.com/DSpace/DSpace/pull/8891
https://github.com/DSpace/DSpace/pull/9638
https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-25T23:45:57.493Z

Updated: 2024-08-02T04:04:25.278Z

Reserved: 2024-06-14T14:16:16.465Z

Link: CVE-2024-38364

Vulnrichment

Updated: 2024-07-05T15:20:43.991Z

NVD

Status : Deferred

Published: 2024-06-26T00:15:10.480

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-38364

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38364", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-14T14:16:16.465Z", "datePublished": "2024-06-25T23:45:57.493Z", "dateUpdated": "2024-08-02T04:04:25.278Z"}, "containers": {"cna": {"title": "DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"}, {"name": "https://github.com/DSpace/DSpace/pull/8891", "tags": ["x_refsource_MISC"], "url": "https://github.com/DSpace/DSpace/pull/8891"}, {"name": "https://github.com/DSpace/DSpace/pull/9638", "tags": ["x_refsource_MISC"], "url": "https://github.com/DSpace/DSpace/pull/9638"}, {"name": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b", "tags": ["x_refsource_MISC"], "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"}], "affected": [{"vendor": "DSpace", "product": "DSpace", "versions": [{"version": ">= 7.0, < 7.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-25T23:45:57.493Z"}, "descriptions": [{"lang": "en", "value": "DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2."}], "source": {"advisory": "GHSA-94cc-xjxr-pwvf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-28T17:36:26.353986Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:22:48.955Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:04:25.278Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"}, {"name": "https://github.com/DSpace/DSpace/pull/8891", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DSpace/DSpace/pull/8891"}, {"name": "https://github.com/DSpace/DSpace/pull/9638", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DSpace/DSpace/pull/9638"}, {"name": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-28T17:36:26.353986Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:43.991Z"}}], "cna": {"title": "DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document", "source": {"advisory": "GHSA-94cc-xjxr-pwvf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "DSpace", "product": "DSpace", "versions": [{"status": "affected", "version": ">= 7.0, < 7.6.2"}]}], "references": [{"url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf", "name": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/DSpace/DSpace/pull/8891", "name": "https://github.com/DSpace/DSpace/pull/8891", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/DSpace/DSpace/pull/9638", "name": "https://github.com/DSpace/DSpace/pull/9638", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b", "name": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-25T23:45:57.493Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38364", "state": "PUBLISHED", "dateUpdated": "2024-07-05T17:22:48.955Z", "dateReserved": "2024-06-14T14:16:16.465Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-25T23:45:57.493Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2."}, {"lang": "es", "value": "DSpace es un software de c\u00f3digo abierto, una aplicaci\u00f3n de repositorio llave en mano utilizada por m\u00e1s de 2000 organizaciones e instituciones en todo el mundo para brindar acceso duradero a recursos digitales. En DSpace 7.0 a 7.6.1, cuando se descarga un Bitstream HTML, XML o JavaScript, el navegador del usuario puede ejecutar cualquier JavaScript incrustado. Si ese JavaScript incrustado es malicioso, existe el riesgo de sufrir un ataque XSS. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 7.6.2."}], "id": "CVE-2024-38364", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-26T00:15:10.480", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"}, {"source": "security-advisories@github.com", "url": "https://github.com/DSpace/DSpace/pull/8891"}, {"source": "security-advisories@github.com", "url": "https://github.com/DSpace/DSpace/pull/9638"}, {"source": "security-advisories@github.com", "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DSpace/DSpace/pull/8891"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DSpace/DSpace/pull/9638"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}