Cross Site Scripting possible in DSpace JSPUI spellcheck and autocomplete tools
Description
DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to XSS. This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.dspace:dspace-jspuiMaven | >= 4.0, < 5.11 | 5.11 |
org.dspace:dspace-jspuiMaven | >= 6.0, < 6.4 | 6.4 |
Affected products
2Patches
Vulnerability mechanics
Root cause
"Missing HTML escaping of user-controlled text in JSPUI spellcheck and autocomplete components leads to stored/reflected cross-site scripting (XSS)."
Attack vector
An attacker can inject arbitrary JavaScript into the JSPUI by crafting a search query or other input that is reflected by the spellcheck "Did you mean" or autocomplete features without proper HTML escaping. The advisory notes that the data-spell attribute is escaped but the displayed text is not, allowing script payloads to execute in a victim's browser. No authentication is required because the vulnerable components are accessible to unauthenticated users performing searches. The attack is delivered via a crafted URL or form submission that the victim visits.
Affected code
The advisory states that the JSPUI spellcheck "Did you mean" component and the JSPUI autocomplete component fail to properly HTML-escape user-controlled text before rendering it in the page. The provided patches (patch_id=1641510, patch_id=1641511) are release-version bumps in pom.xml files and do not contain the actual code fix for the XSS vulnerability; the advisory does not specify the exact files or functions that were corrected.
What the fix does
The provided patches (patch_id=1641510, patch_id=1641511) only update version numbers from SNAPSHOT to release in pom.xml files and do not contain any code changes that address the XSS vulnerability. The advisory indicates that the fix involves properly HTML-escaping user-controlled text in the JSPUI spellcheck and autocomplete components, but the actual escaping logic is not present in these release-preparation commits. Users are advised to upgrade to the patched release versions (6.4 or 5.11) which presumably include the corrected JSP files.
Preconditions
- configThe DSpace instance must be using the JSPUI (not XMLUI).
- inputThe attacker must be able to supply input that is processed by the spellcheck 'Did you mean' or autocomplete features.
- networkThe victim must visit a page containing the unescaped attacker-controlled text (e.g., via a crafted search URL).
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-c558-5gfm-p2r8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31191ghsaADVISORY
- github.com/DSpace/DSpace/commit/35030a23e48b5946f5853332c797e1c4adea7bb7ghsax_refsource_MISCWEB
- github.com/DSpace/DSpace/commit/6f75bb084ab1937d094208c55cd84340040bcbb5ghsax_refsource_MISCWEB
- github.com/DSpace/DSpace/commit/c89e493e517b424dea6175caba54e91d3847fc3aghsax_refsource_MISCWEB
- github.com/DSpace/DSpace/commit/ebb83a75234d3de9be129464013e998dc929b68dghsax_refsource_MISCWEB
- github.com/DSpace/DSpace/security/advisories/GHSA-c558-5gfm-p2r8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.