CVE-2022-31192

Name of the Vulnerable Software and Affected Versions DSpace versions prior to 5.11 DSpace versions prior to 6.4

Description The JSPUI "Request a Copy" feature does not properly escape values submitted and stored from the "Request a Copy" form, making item requests vulnerable to XSS attacks. This issue only impacts the JSPUI, and users are advised to upgrade. There are no known workarounds for this vulnerability.

Recommendations For DSpace 5.x, upgrade to version 5.11 or apply the patch file from https://github.com/DSpace/DSpace/commit/28eb8158210d41168a62ed5f9e044f754513bc37.patch. For DSpace 6.x, upgrade to version 6.4 or apply the patch file from https://github.com/DSpace/DSpace/commit/503a6af57fd720c37b0d86c34de63baa5dd85819.patch. As a temporary workaround, consider disabling the "Request a Copy" feature by commenting out the request.item.type = all configuration or setting its value to empty.