Joe Corall

**Name of the Vulnerable Software and Affected Versions** Drupal Islandora versions prior to 2.17.5 **Description** A flaw exists in Drupal Islandora that allows for Cross-Site Scripting (XSS). The issue stems from insufficient sanitization of URI paths used in a custom route for attaching media to nodes. Exploitation requires an attacker to have the 'create media' permission and the ability to edit the node to which the media is attached. Islandora is an open-source digital asset management (DAM) framework that integrates with various open-source services in a distributed environment. The vulnerable component doesn't properly sanitize input during web page generation. **Recommendations** Update to Islandora version 2.17.5 or later.