Dear DSpace community, I hope everyone is doing well! I'm reaching out because our information security team has flagged what they believe is a potential vulnerability in DSpace 7.2 related to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Here's what they've identified: The team discovered that DSpace handles two comment sequences differently: - The invalid sequence `*/_/*` is not being filtered out and gets processed - The correct sequence `/*_*/` is properly filtered, returning the same result as input without payload Since the outputs differ between these two cases, our infosec team is treating this as a potential injection vulnerability (similar to SQL injection concerns), even though the different responses don't immediately appear to constitute an actual security risk. I'm wondering if anyone in the community has encountered similar findings from their security teams and how you approached the discussion? Any insights on whether this represents a genuine security concern or guidance on how to address it with infosec would be greatly appreciated. Thanks so much for your time and expertise! Best regards, Marcelo -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/546d00ff-aee2-40f3-85de-548e4ddd91ean%40googlegroups.com.
