Andrea Bollini

**Name of the Vulnerable Software and Affected Versions** DSpace versions prior to 5.11 DSpace versions prior to 6.4 **Description** The JSPUI "Request a Copy" feature does not properly escape values submitted and stored from the "Request a Copy" form, making item requests vulnerable to XSS attacks. This issue only impacts the JSPUI, and users are advised to upgrade. There are no known workarounds for this vulnerability. **Recommendations** For DSpace 5.x, upgrade to version 5.11 or apply the patch file from https://github.com/DSpace/DSpace/commit/28eb8158210d41168a62ed5f9e044f754513bc37.patch. For DSpace 6.x, upgrade to version 6.4 or apply the patch file from https://github.com/DSpace/DSpace/commit/503a6af57fd720c37b0d86c34de63baa5dd85819.patch. As a temporary workaround, consider disabling the "Request a Copy" feature by commenting out the `request.item.type = all` configuration or setting its value to empty.