CVE-2022-31192: 
Java vulnerability analysis and mitigation

The DSpace JSPUI "Request a Copy" feature contains a Cross-Site Scripting (XSS) vulnerability (CVE-2022-31192) that was discovered in July 2022. The vulnerability affects DSpace versions 5.0 through 6.3, where values submitted and stored from the "Request a Copy" form are not properly escaped, making item requests vulnerable to XSS attacks. This vulnerability only impacts the JSPUI interface and does not affect the XMLUI or version 7.x (GitHub Advisory).

The vulnerability exists due to insufficient input validation and escaping of user-submitted values in the "Request a Copy" form functionality. The issue was fixed by implementing proper HTML escaping using StringEscapeUtils.escapeHtml4() for user input parameters including email, name, and comments in the RequestItemServlet.java file (GitHub Commit).

An attacker could potentially execute malicious JavaScript code in the context of other users' browsers by submitting specially crafted input through the "Request a Copy" form. This could lead to session hijacking, theft of sensitive information, or other client-side attacks against DSpace users (GitHub Advisory).

The vulnerability was patched in DSpace versions 6.4 and 5.11. For users unable to upgrade immediately, a temporary workaround is available by disabling the "Request a Copy" feature by commenting out or emptying the 'request.item.type' configuration setting. Patch files are also available for manual application: DSpace 6.x patch via commit 503a6af and DSpace 5.x patch via commit 28eb815 (GitHub Advisory).