Thomas Vogt

**Name of the Vulnerable Software and Affected Versions** Secure Data Space SDS-API versions prior to 3.5.7 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to security breaches. This can be achieved through the "PATH INFO" to "api/v3/public/shares/downloads/", the `authType` parameter to "api/v3/auth/login", or the `login` parameter to "api/v3/auth/reset password". **Recommendations** For versions prior to 3.5.7, update to version 3.5.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints "api/v3/public/shares/downloads/", "api/v3/auth/login", and "api/v3/auth/reset password" until a patch is applied. Avoid using the `authType` and `login` parameters in the affected API endpoints until the issue is resolved.