CVE-2024-38364

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-38364

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38364.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-38364

Aliases

GHSA-94cc-xjxr-pwvf

Published

2024-06-25T23:45:57Z

Modified

2025-10-20T20:27:18.547506Z

Severity

2.6 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L CVSS Calculator

Summary

DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document

Details

DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/dspace/dspace

Affected ranges

Type: GIT
Repo: https://github.com/dspace/dspace
Events: Introduced

69345ff3fce834d45d0571a340b286b2777ecf49

Fixed

08947bc34e60c93b2b0771b3fdb5347915cac28b

Affected versions

dspace-7.*

dspace-7.0

dspace-7.1

dspace-7.2

dspace-7.2.1

dspace-7.3

dspace-7.4

dspace-7.5

dspace-7.6

dspace-7.6.1