David Cavrenne

**Name of the Vulnerable Software and Affected Versions** DSpace versions prior to 6.4 **Description** The issue concerns the exposure of metadata on withdrawn items via the XMLUI "mets.xml" object, as long as the handle/URL of the withdrawn item is known. This affects the XMLUI component of DSpace. The severity of this issue is considered low, as item metadata typically does not contain highly sensitive information. **Recommendations** To resolve the issue, users are advised to upgrade to DSpace version 6.4 or newer. For DSpace 6.x, a patch file is available, which can be manually applied if an immediate upgrade to 6.4 or above is not possible. The steps to apply the patch include downloading the patch file, applying it from the DSpace source folder, rebuilding DSpace, redeploying it, and then restarting Tomcat. As a workaround, permanently deleting withdrawn items with highly secure metadata can ensure their secure metadata is inaccessible and removed from the system entirely.