Dear dspace-tech Team,
I am writing to request your support regarding a critical Cross-Site Scripting (XSS) vulnerability that has been detected in our repository. According to the recent Qualys WAS report, a reflected XSS vulnerability has been identified on the browsing interface (specifically within the "browse/author" endpoint) of our repository. The report confirms that unsanitized user input is being echoed in the HTML response, which could allow an attacker to inject malicious scripts. Key details include: • The vulnerability has been assigned a Severity Level 5, indicating a confirmed and critical issue. • The issue appears when user-supplied data is not properly HTML-encoded, allowing XSS payloads to be reflected in the response. • Although no active exploit has been confirmed yet, the potential for credential theft and data compromise is significant. Given the potential impact on our users and the integrity of the repository, I kindly request your assistance in reviewing the issue and advising on the appropriate remediation measures. Specifically, guidance on implementing robust HTML encoding and input validation to prevent the execution of injected scripts would be highly appreciated. for example: https://demo.dspace.org/browse/author?value=Barquero-Romero,%20Jose%20Pablo%20%3Cscript%3E_q_q%3Drandom(Ppf3jbNx)%3C Thank you for your prompt attention to this matter. I look forward to your expert advice and support to resolve this vulnerability as soon as possible. Best regards, -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/8d577a2b-546f-49c1-a798-b57b6aea1bb8n%40googlegroups.com.
