Skip to content

DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document

Low severity GitHub Reviewed Published Jun 25, 2024 in DSpace/DSpace • Updated Jun 28, 2024

Package

maven org.dspace:dspace-server-webapp (Maven)

Affected versions

>= 7.0, < 7.6.2

Patched versions

7.6.2

Description

Impact

In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack.

This attack may only be initialized by a user who already has Submitter privileges in the repository. The submitter must upload the malicious HTML/XML/JavaScript file themselves. The attack itself would not occur until a visitor or logged-in user downloads the file or clicks on a download link shared by the attacker.

If your site is running the frontend and backend from separate domains, CORS and CSRF protection built into DSpace help to limit the impact of the attack.

If the repository is configured to only download HTML / XML / JavaScript Bitstreams using the Content-Disposition: attachment header, then the attack is no longer possible. See "Workarounds" below.

Patches

The fix is included in both 8.0 and 7.6.2. Please upgrade to one of these versions, or manually apply one of the "Workarounds" below.

If you are already running 7.6 or 7.6.1, then this vulnerability can be fixed via a configuration update in your dspace.cfg configuration file. See details in below.

Workarounds

DSpace sites running 7.6 or 7.6.1 can fix this issue by adding the following webui.content_disposition_format settings to their dspace.cfg (or local.cfg). These settings force all HTML, XML, RDF & JavaScript files to always be downloaded to a user's machine, blocking the attack. For more details see PR #9638

webui.content_disposition_format = text/html
webui.content_disposition_format = text/javascript
webui.content_disposition_format = text/xml
webui.content_disposition_format = rdf

These settings will take effect immediately. There is no need to restart Tomcat.

To verify the settings are working: upload an HTML or XML file to an in-progress submission. Attempt to download the file. The file should not open in your browser window. Instead, it should download to your local computer.

DSpace sites running 7.0 through 7.5 will need to either (CHOOSE ONE):

  • Upgrade to 7.6.2 or 8.0
  • Or, upgrade to 7.6 or 7.6.1 and then apply the configuration change mentioned above
  • Or, manually add the webui.content_disposition_format setting (which was first released in 7.6), and then apply the configuration changes mentioned above.
    • The webui.content_disposition_format setting can be added by applying the changes in PR #8891. A patch file is also available.
    • Please be aware this patch may not apply cleanly to all prior versions of 7.x. In that scenario, you would need to find a way to manually apply the changes or consider a different workaround.
  • Or, find a way in your Apache or NGinx proxy to force the Content-Disposition: attachment header to be sent for all files downloaded via /server/api/core/bitstreams/[uuid]/content in the REST API.
    • NOTE: This workaround will patch the vulnerability. However, it does so by no longer allowing users to open any downloaded files in their browser window. (This behavior may or may not be desirable in the long term, so you may wish to remove it in the future, once you have upgraded.)
    • For example, in Apache, using "mod_headers", you may add a configuration similar to this in your <VirtualHost>:
      # Set "Content-Disposition: attachment" whenever path is /server/api/core/bitstreams/[uuid]/content
      Header set Content-Disposition attachment "expr=%{REQUEST_URI} =~ m#^/server/api/core/bitstreams/.*/content$#"
      

References

Discovered and reported by Muhammad Zeeshan (Xib3rR4dAr)

For more information

If you have any questions or comments about this advisory:

References

@tdonohue tdonohue published to DSpace/DSpace Jun 25, 2024
Published to the GitHub Advisory Database Jun 25, 2024
Reviewed Jun 25, 2024
Published by the National Vulnerability Database Jun 26, 2024
Last updated Jun 28, 2024

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

EPSS score

0.045%
(18th percentile)

Weaknesses

CVE ID

CVE-2024-38364

GHSA ID

GHSA-94cc-xjxr-pwvf

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.