CVE-2024-38364

Name of the Vulnerable Software and Affected Versions DSpace versions 7.0 through 7.6.1

Description DSpace is an open source software used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In the affected versions, when an HTML, XML, or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript, potentially leading to an XSS attack. This issue can be exploited by a user with Submitter privileges who uploads a malicious HTML/XML/JavaScript file. The attack occurs when a visitor or logged-in user downloads the file or clicks on a download link shared by the attacker. If the repository is configured to only download HTML/XML/JavaScript Bitstreams using the Content-Disposition: attachment header, the attack is no longer possible.

Recommendations For DSpace versions 7.6 or 7.6.1, add the following webui.content disposition format settings to the dspace.cfg configuration file to force all HTML, XML, RDF, and JavaScript files to always be downloaded to a user's machine:

webui.content disposition format = text/html
webui.content disposition format = text/javascript
webui.content disposition format = text/xml
webui.content disposition format = rdf

For DSpace versions 7.0 through 7.5, either upgrade to 7.6.2 or 8.0, or upgrade to 7.6 or 7.6.1 and apply the configuration change mentioned above. Alternatively, manually add the webui.content disposition format setting and apply the configuration changes, or find a way to force the Content-Disposition: attachment header to be sent for all files downloaded via the /server/api/core/bitstreams/[uuid]/content API endpoint.