Cross Site Scripting possible in DSpace JSPUI "Request a Copy" feature
Description
DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI "Request a Copy" feature does not properly escape values submitted and stored from the "Request a Copy" form. This means that item requests could be vulnerable to XSS attacks. This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.dspace:dspace-jspuiMaven | >= 5.0, < 5.11 | 5.11 |
org.dspace:dspace-jspuiMaven | >= 6.0, < 6.4 | 6.4 |
Affected products
2Patches
Vulnerability mechanics
Root cause
"Missing output escaping of user-supplied values in the JSPUI "Request a Copy" form allows stored cross-site scripting (XSS)."
Attack vector
An attacker submits a "Request a Copy" form on a DSpace JSPUI item page with malicious JavaScript payloads in one or more of the form fields (e.g., requester name, email, or message). Because the JSPUI does not properly escape these stored values before rendering them back to users who view the request, the injected script executes in the context of the victim's browser. The attack requires no special privileges—any anonymous user can submit the form. The vulnerability is triggered when an administrator or other user views the stored request details, leading to a stored cross-site scripting (XSS) attack.
Affected code
The vulnerability resides in the JSPUI "Request a Copy" feature. The advisory states that the JSPUI does not properly escape values submitted and stored from the "Request a Copy" form. The patches provided ([patch_id=1641508], [patch_id=1641509]) are only release-version bumps (6.4 and 5.11) and do not contain any code-level fix for the XSS issue; the actual escaping fix is not shown in the supplied bundle.
What the fix does
The supplied patches ([patch_id=1641508], [patch_id=1641509]) are Maven release-plugin commits that only change version numbers from "-SNAPSHOT" to the release version and update the SCM tag. They contain no code changes to the JSPUI "Request a Copy" feature. Therefore, the actual fix that introduces proper output escaping for the form values is not present in the provided bundle. The advisory indicates that users should upgrade to a patched version, but the specific escaping logic is not shown here.
Preconditions
- configThe DSpace instance must be running the JSPUI (not XMLUI).
- configThe 'Request a Copy' feature must be enabled on item pages.
- authNo authentication is required; any anonymous user can submit the form.
- inputAn administrator or other user must view the stored request details to trigger the stored XSS.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4wm8-c2vv-xrpqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31192ghsaADVISORY
- github.com/DSpace/DSpace/commit/28eb8158210d41168a62ed5f9e044f754513bc37ghsax_refsource_MISCWEB
- github.com/DSpace/DSpace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9ghsax_refsource_MISCWEB
- github.com/DSpace/DSpace/security/advisories/GHSA-4wm8-c2vv-xrpqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.