CVE-2022-31191 is a cross-site scripting (XSS) vulnerability affecting the JSPUI component of DSpace, an open-source repository software widely used for managing and providing durable access to digital resources. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79). Specifically, the JSPUI spellcheck feature's "Did you mean" functionality escapes the data-spell attribute in the HTML link but fails to properly escape the displayed text itself. Similarly, the autocomplete feature in JSPUI does not correctly sanitize or escape user-supplied text before rendering it on the page. This improper handling of input allows an attacker to inject malicious scripts into the web interface, which can then be executed in the context of the victim's browser session. The vulnerability impacts DSpace versions >=4.0 and <5.11 as well as >=6.0 and <6.4, meaning multiple major releases are affected. The issue is confined to the JSPUI component and does not affect other interfaces or components of DSpace. There are no known workarounds, and users are advised to upgrade to patched versions once available. Although no known exploits have been reported in the wild, the vulnerability poses a risk of client-side script injection that can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of authenticated users. The vulnerability requires no authentication or special privileges to exploit, and user interaction is typically needed only to visit a maliciously crafted page or link within the affected DSpace instance. Given the nature of the vulnerability, it primarily threatens the confidentiality and integrity of user sessions and data accessed through the JSPUI interface.

For European organizations using DSpace, particularly academic institutions, research libraries, and cultural heritage repositories, this vulnerability could lead to unauthorized access to sensitive digital collections or user credentials. Exploitation could allow attackers to execute arbitrary scripts in users' browsers, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions such as data modification or deletion. This undermines trust in digital repositories and could disrupt access to critical research and cultural data. Since DSpace is widely adopted in European universities and research centers, the impact could be significant in terms of data confidentiality and user privacy. Additionally, compromised user accounts could be leveraged for further attacks within organizational networks. The lack of known exploits in the wild reduces immediate risk, but the medium severity rating and absence of workarounds mean organizations should prioritize remediation to prevent potential exploitation. The vulnerability does not directly affect system availability but could indirectly cause service disruptions if exploited at scale or combined with other attacks.

Organizations should promptly upgrade affected DSpace installations to versions beyond 6.4 or 5.11 where this vulnerability is addressed. Until upgrades are applied, administrators should restrict access to the JSPUI interface to trusted users only, using network segmentation or VPNs to limit exposure. Implementing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Additionally, organizations should audit custom JSPUI extensions or plugins to ensure they do not introduce similar XSS risks. Regularly monitoring web server logs for unusual requests or script injection attempts can provide early detection of exploitation attempts. User education is also important; users should be cautioned against clicking suspicious links within the DSpace environment. Finally, organizations should consider deploying web application firewalls (WAFs) with rules tuned to detect and block typical XSS payloads targeting DSpace JSPUI endpoints.