Hi Tim,
Thank you for your prompt and detailed response. I appreciate the clarification regarding the behavior observed and your confirmation that it is a false positive due to Angular's built-in XSS protections. We will forward the report to our security provider for further review to ensure all necessary measures are in place. Thanks again for your assistance. Best regards, Humberto El lunes, 24 de febrero de 2025 a la(s) 11:08:26 a.m. UTC-5, DSpace Technical Support escribió: > Hi, > > The example you've given is showing that DSpace is simply turning the > "user input" into plain text. It is not allowing for scripts to be > executed, as would be required for an XSS attack, as the "<script>" tag (in > your example) is never executed...it's just displayed as if it were plain > text. > > Angular itself has quite robust XSS protections built-in. DSpace does not > disable these protections, which means that user input, by default, it > untrusted and escaped in Angular so that it cannot be executed. See the > Angular docs at > https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss > > on how this works. > > So, the behavior you are seeing is *escaped user input*...it has been > turned into plain text, so that it cannot be executed in the user's browser. > Therefore, I believe this is a "false positive" from your Qualys WAS > Report. > > If you've somehow found a way to *bypass* that escaped user input, then > I'd ask that you report the *exact exploit* to secu...@dspace.org and > we'll take a closer look. See also our Security Policy at > https://github.com/DSpace/DSpace/security. > > Thanks, > > Tim > > On Monday, February 24, 2025 at 9:41:30 AM UTC-6 hbla...@gmail.com wrote: > >> Dear dspace-tech Team, >> >> I am writing to request your support regarding a critical Cross-Site >> Scripting (XSS) vulnerability that has been detected in our repository. >> According to the recent Qualys WAS report, a reflected XSS vulnerability >> has been identified on the browsing interface (specifically within the >> "browse/author" endpoint) of our repository. The report confirms that >> unsanitized user input is being echoed in the HTML response, which could >> allow an attacker to inject malicious scripts. >> >> Key details include: • The vulnerability has been assigned a Severity >> Level 5, indicating a confirmed and critical issue. • The issue appears >> when user-supplied data is not properly HTML-encoded, allowing XSS payloads >> to be reflected in the response. • Although no active exploit has been >> confirmed yet, the potential for credential theft and data compromise is >> significant. >> >> Given the potential impact on our users and the integrity of the >> repository, I kindly request your assistance in reviewing the issue and >> advising on the appropriate remediation measures. Specifically, guidance on >> implementing robust HTML encoding and input validation to prevent the >> execution of injected scripts would be highly appreciated. >> >> for example: >> https://demo.dspace.org/browse/author?value=Barquero-Romero,%20Jose%20Pablo%20%3Cscript%3E_q_q%3Drandom(Ppf3jbNx)%3C >> >> Thank you for your prompt attention to this matter. I look forward to >> your expert advice and support to resolve this vulnerability as soon as >> possible. >> >> Best regards, >> > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/ed707c9e-516b-4b90-add5-cc0e4255b0f2n%40googlegroups.com.
