GHSA-94cc-xjxr-pwvf
LOWDSpace Cross Site Scripting (XSS) via a deposited HTML/XML document
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
org.dspace:dspace-server-webappReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Impact
In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack.
This attack may only be initialized by a user who already has Submitter privileges in the repository. The submitter must upload the malicious HTML/XML/JavaScript file themselves. The attack itself would not occur until a visitor or logged-in user downloads the file or clicks on a download link shared by the attacker.
If your site is running the frontend and backend from separate domains, CORS and CSRF protection built into DSpace help to limit the impact of the attack.
If the repository is configured to only download HTML / XML / JavaScript Bitstreams using the Content-Disposition: attachment header, then the attack is no longer possible. See "Workarounds" below.
Patches
The fix is included in both 8.0 and 7.6.2. Please upgrade to one of these versions, or manually apply one of the "Workarounds" below.
If you are already running 7.6 or 7.6.1, then this vulnerability can be fixed via a configuration update in your dspace.cfg configuration file. See details in below.
Workarounds
DSpace sites running 7.6 or 7.6.1 can fix this issue by adding the following webui.content_disposition_format settings to their dspace.cfg (or local.cfg). These settings force all HTML, XML, RDF & JavaScript files to always be downloaded to a user's machine, blocking the attack. For more details see PR #9638
webui.content_disposition_format = text/html
webui.content_disposition_format = text/javascript
webui.content_disposition_format = text/xml
webui.content_disposition_format = rdf
These settings will take effect immediately. There is no need to restart Tomcat.
To verify the settings are working: upload an HTML or XML file to an in-progress submission. Attempt to download the file. The file should not open in your browser window. Instead, it should download to your local computer.
DSpace sites running 7.0 through 7.5 will need to either (CHOOSE ONE):
- Upgrade to 7.6.2 or 8.0
- Or, upgrade to 7.6 or 7.6.1 and then apply the configuration change mentioned above
- Or, manually add the
webui.content_disposition_formatsetting (which was first released in 7.6), and then apply the configuration changes mentioned above.- The
webui.content_disposition_formatsetting can be added by applying the changes in PR #8891. Apatchfile is also available. - Please be aware this patch may not apply cleanly to all prior versions of 7.x. In that scenario, you would need to find a way to manually apply the changes or consider a different workaround.
- The
- Or, find a way in your Apache or NGinx proxy to force the
Content-Disposition: attachmentheader to be sent for all files downloaded via/server/api/core/bitstreams/[uuid]/contentin the REST API.- NOTE: This workaround will patch the vulnerability. However, it does so by no longer allowing users to open any downloaded files in their browser window. (This behavior may or may not be desirable in the long term, so you may wish to remove it in the future, once you have upgraded.)
- For example, in Apache, using "mod_headers", you may add a configuration similar to this in your
<VirtualHost>:# Set "Content-Disposition: attachment" whenever path is /server/api/core/bitstreams/[uuid]/content Header set Content-Disposition attachment "expr=%{REQUEST_URI} =~ m#^/server/api/core/bitstreams/.*/content$#"
References
Discovered and reported by Muhammad Zeeshan (Xib3rR4dAr)
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | org.dspace:dspace-server-webapp | ≥ 7.0&&< 7.6.2 | 7.6.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.dspace:dspace-server-webapp. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update org.dspace:dspace-server-webapp to 7.6.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-94cc-xjxr-pwvf is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-94cc-xjxr-pwvf is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-94cc-xjxr-pwvf. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-94cc-xjxr-pwvf in your dependencies?
O3 detects GHSA-94cc-xjxr-pwvf across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.