CVE-2022-31193

Name of the Vulnerable Software and Affected Versions DSpace versions prior to 5.11 DSpace versions prior to 6.4

Description The JSPUI controlled vocabulary servlet in DSpace is vulnerable to an open redirect attack. An attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL, which redirects the target to a site of the attacker's choice when clicked. This issue does not impact the XMLUI or 7.x versions.

Recommendations For DSpace 5.x versions: Upgrade to version 5.11 or apply the patch file from https://github.com/DSpace/DSpace/commit/5f72424a478f59061dcc516b866dcc687bc3f9de.patch and follow the instructions to manually apply the patch. For DSpace 6.x versions: Upgrade to version 6.4 or apply the patch file from https://github.com/DSpace/DSpace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9.patch and follow the instructions to manually apply the patch. In general, if an immediate upgrade is not possible, manually applying the provided patches is recommended.