Mgeerdsen

**Name of the Vulnerable Software and Affected Versions** Goobi viewer versions 4.8.0 through 26.04.0 **Description** The REST endpoint "POST /api/v1/index/stream" accepts arbitrary Solr streaming expressions from unauthenticated network clients and forwards them to the backend Solr server without restriction. This allows an attacker to read the complete Solr index, including documents protected by access conditions, license requirements, or IP restrictions. Additionally, in default Solr deployments, attackers can use `update()` streaming expressions to overwrite indexed field values, alter metadata, or corrupt document structures, and use `delete()` streaming expressions to permanently remove documents or the entire collection. **Recommendations** Update to version 26.04.1. As a temporary workaround, block the "/api/v1/index/stream" endpoint using a reverse proxy or within the Tomcat configuration.

**Name of the Vulnerable Software and Affected Versions** Goobi viewer core versions prior to 23.03 **Description** A cross-site scripting issue has been identified in the user comment feature of the Goobi viewer core. This allows an attacker to create a specially crafted comment that results in the execution of malicious script code in the user's browser when the comment is displayed. **Recommendations** For versions prior to 23.03, update to version 23.03 to resolve the issue. As a temporary workaround, consider disabling the user comment feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Goobi viewer versions prior to 23.03 **Description** The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in Goobi viewer core when using nicknames. An attacker could create a user account and enter malicious scripts into their profile's nickname, resulting in the execution in the user's browser when displaying the nickname on certain pages. **Recommendations** For versions prior to 23.03, update to version 23.03 to resolve the issue. As a temporary workaround, consider restricting the use of nicknames in user profiles until the update is applied. Avoid displaying user nicknames on certain pages until the issue is resolved.