Hi Tim. Thank you very much for your reply to this question. I'll let them know this and will try to get more information, following your advice.
Hernán El lunes, 28 de octubre de 2024 a la(s) 12:18:02 p.m. UTC-3, DSpace Technical Support escribió: > Hi, > > At a quick glance, this sounds a lot like a *false positive*. Angular > itself has a lot of built-in protections against Javascript-style attacks > (XSS, etc), and I'd be surprised if a SOME attack works on an Angular > application (as it's essentially a "flavor" of XSS attack). > > The details you've shared from this report are very vague. It doesn't > show any real examples, and it seems to list almost every page in the > application. > > That said, if you can get more information from them about *how* to > produce a SOME attack on a single page (like a proof of concept attack), > then we can look into it in more detail. *Please email any such details > to secu...@dspace.org*, so they that DSpace Committers are notified and > can analyze the report. > > Tim > > On Monday, October 28, 2024 at 8:42:07 AM UTC-5 HC wrote: > >> Hi. >> >> Our security team is using the web application Acunnetix to scan and find >> any vulnerability on the web pages and web applications of our >> organization. The goal is to detect them and take proactive messures to >> prevent a potencial attack, data compromise, etc. >> >> After running the analysis, they raised several alerts, which they >> catalog with different threat levels. The good news for us is that they >> didn't find any high risk alert. >> But the found several medium risk alerts. >> >> One medium risk alert that concern us, and prevents us from releasing the >> DSpace repository into production, is the following: >> >> *Same origin method execution (SOME)* >> >> Classification: >> >> CVSS3 >> CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N >> Base Score: 4.3 >> Attack Vector: Network >> Attack Complexity: Low >> Privileges Required: None >> User Interaction: Required >> Scope: Unchanged >> Confidentiality Impact: None >> Integrity Impact: Low >> Availability Impact: None >> >> CVSS2 >> Base Score: 4.3 >> Access Vector: Network_accessible >> Access Complexity: Medium >> Authentication: None >> Confidentiality Impact: None >> Integrity Impact: Partial >> Availability Impact: None >> Exploitability: Not_defined >> Remediation Level: Not_defined >> Report Confidence: Not_defined >> Availability Requirement: Not_defined >> Collateral Damage Potential: Not_defined >> Confidentiality Requirement: Not_defined >> Integrity Requirement: Not_defined >> Target Distribution: Not_defined >> >> >> CWE >> CWE-20 >> >> Affected items >> /admin 1 >> /browse/author 6 >> /browse/dateissued 4 >> /browse/subject 4 >> /browse/title 5 >> /collections/11ca30c5-3153-4bde-8f56-78e4551251a8 1 >> /collections/1f250178-77ff-405d-8327-b6cb9ca3bafb 1 >> /collections/42e829be-53e8-45a8-9759-84af2625af89 1 >> /collections/5393a442-fc8b-4e09-be62-12acb19a68c9 1 >> /collections/5bd4b23e-71c5-4d9d-826e-fcbc9d160818 1 >> /collections/629bb30f-43f8-4be8-acca-36681b1b01d0 1 >> /collections/665b93e7-38f3-4409-ace8-06465570392f 1 >> /collections/8a841561-4cc0-4853-b793-79fd64400fb5 1 >> /collections/f6b29dcc-f0a8-430f-b947-cdbe82436908 1 >> /communities/0126647d-873a-46e7-9c9e-d023c7fea691 1 >> /communities/34310f22-81a0-4402-aae9-b678eb766b6a 1 >> /communities/34d97a60-b2fa-4698-81cc-0d839f0f567c 1 >> /communities/4f2eb171-8728-4d22-bd27-33aeb9d5ae0f 2 >> /communities/663a7aa4-fa3d-460b-9585-b31b5674e20a 1 >> /communities/79696ce9-39ed-4f67-80be-5948b848b1c8 1 >> /communities/7dc49154-f0b3-4902-9af3-71f8b27efad4 1 >> /communities/b3c7d2fc-c6c5-4878-ba4a-511a843c709c 1 >> /communities/dbef5fb5-3027-49d9-9bf0-0f2d44415146 3 >> /communities/e5098278-fff6-43dd-83b7-2d802d888f05 2 >> /communities/fe435281-084f-4ddf-ac9c-ad72081396ce 3 >> /community-list 1 >> /home 1 >> /info/end-user-agreement 1 >> /info/privacy 1 >> /items/0160ed5e-23f1-404c-a6c0-eff54fa186ea/full 15 >> /items/14bd319e-79ec-41a6-9b0b-75878b3710ee 1 >> /items/1c71b9fb-d855-43e1-a2af-6513c4aadb72 1 >> /items/22d2db70-e5da-4dda-ba49-831898db737c 1 >> /items/46ef5a91-dc55-47cf-8fc8-7940d3e0376b 1 >> /items/5fd00655-1f0a-4261-93de-42a1a06ef128 1 >> /items/65b7f719-d788-488a-90b7-8da0dad4a31e/full 1 >> /items/7103c7f2-5a5f-4392-92de-2e2bd194d522 1 >> /items/a28c20af-1b4f-4699-8aa7-219722ad2557 1 >> /items/a7e28886-ce18-4745-8500-ef09d7b62804 1 >> /items/b826e34a-2ba5-48ac-9ec3-4b28ffca855a 1 >> /items/c3ccd304-ae49-44e5-8d2a-36b928ca0b51/full 1 >> /items/cea61be5-8e79-4ab8-86d1-7f56852fe18a 1 >> /register 1 >> /reload/1727961770073 1 >> /search 8 >> /statistics 1 >> /statistics/collections/11ca30c5-3153-4bde-8f56-78e4551251a8 1 >> /statistics/items/0160ed5e-23f1-404c-a6c0-eff54fa186ea 1 >> /workflowitems >> >> After some research I don't find the way to prevent this alert from >> happening. >> Can someone give some advice on this matter? >> >> Thanks in advance. >> > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/b7dfde3a-bc76-4a46-b14c-d908ea7953d7n%40googlegroups.com.
