EUVD-2025-209096
GHSA-68p2-v646-58j6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Tags
Description
A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in DSpace JSPUI 6.5 within the search/discover filtering functionality. The vulnerability exists due to improper sanitization of user-supplied input via the filter_type_1 parameter.
Analysis
DSpace JSPUI 6.5 contains a reflected cross-site scripting (XSS) vulnerability in the search/discover filtering functionality where the filter_type_1 parameter is not properly sanitized, allowing remote attackers to inject malicious scripts that execute in the context of other users' browsers. The vulnerability affects DSpace repository instances running version 6.5. A proof-of-concept has been publicly disclosed via GitHub (https://gist.github.com/MerttTuran/9cf7de549749fe3ef7ce08d65e3540bd), though no active exploitation via CISA KEV listing has been confirmed at the time of analysis.
Technical Context
DSpace is an open-source institutional repository platform commonly deployed in academic and research institutions. The JSPUI (Java Server Pages User Interface) is the legacy web interface component. The vulnerability resides in the search and discovery filtering mechanism, where user-supplied input via the filter_type_1 parameter is reflected in the HTTP response without proper HTML entity encoding or contextual output sanitization. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation), where attacker-controlled input flows directly into the DOM without validation or encoding, allowing arbitrary JavaScript execution within the victim's session context. The affected product is identified via vendor references to dspace.com and LYRASIS (the DSpace community organization), though comprehensive CPE data with specific version ranges is not fully detailed in the provided intelligence.
Affected Products
DSpace JSPUI version 6.5 is confirmed affected by this vulnerability according to the provided description. The affected product is maintained by DSpace (http://dspace.com) and the DSpace community overseen by LYRASIS (http://lyrasis.com). Comprehensive CPE data with version range precision (e.g., cpe:2.3:a:dspace:dspace:6.5:*:*:*:*:jspui:*:*) is not fully specified in the provided intelligence, though references to the DSpace and LYRASIS domains indicate the institutional repository product line. Users operating DSpace repositories with JSPUI 6.5 should verify their deployment versions and prioritize assessment of this component.
Remediation
Upgrade DSpace JSPUI to a patched version released after identification of this vulnerability. Consult the DSpace community security advisories at http://dspace.com and http://lyrasis.com for the exact patched version number, as the specific fix version is not independently confirmed in the provided intelligence. Until patching is feasible, implement input validation and output encoding by reviewing and applying any available security patches or configuration hardening guidance from the DSpace project. Additionally, deploy a Web Application Firewall (WAF) configured with XSS filtering rules to block malicious payloads in the filter_type_1 parameter, restrict access to the DSpace JSPUI interface to trusted networks where possible, and monitor HTTP logs for suspicious parameter values containing script tags or JavaScript event handlers. Review the proof-of-concept (https://gist.github.com/MerttTuran/9cf7de549749fe3ef7ce08d65e3540bd) to understand the exploit pattern and ensure filtering rules match the demonstrated attack vector.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today