Same origin method execution (SOME)
50 views
Skip to first unread message
HC
Oct 28, 2024, 9:42:07 AM10/28/24
to DSpace Technical Support
Hi.
Our security team is using the web application Acunnetix to scan and find any vulnerability on the web pages and web applications of our organization. The goal is to detect them and take proactive messures to prevent a potencial attack, data compromise, etc.
After running the analysis, they raised several alerts, which they catalog with different threat levels. The good news for us is that they didn't find any high risk alert.
But the found several medium risk alerts.
One medium risk alert that concern us, and prevents us from releasing the DSpace repository into production, is the following:
Same origin method execution (SOME)
Classification:
CVSS3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score: 4.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
Base Score: 4.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
CVSS2
Base Score: 4.3
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE
CWE-20
Affected items
/admin 1
/browse/author 6
/browse/dateissued 4
/browse/subject 4
/browse/title 5
/collections/11ca30c5-3153-4bde-8f56-78e4551251a8 1
/collections/1f250178-77ff-405d-8327-b6cb9ca3bafb 1
/collections/42e829be-53e8-45a8-9759-84af2625af89 1
/collections/5393a442-fc8b-4e09-be62-12acb19a68c9 1
/collections/5bd4b23e-71c5-4d9d-826e-fcbc9d160818 1
/collections/629bb30f-43f8-4be8-acca-36681b1b01d0 1
/collections/665b93e7-38f3-4409-ace8-06465570392f 1
/collections/8a841561-4cc0-4853-b793-79fd64400fb5 1
/collections/f6b29dcc-f0a8-430f-b947-cdbe82436908 1
/communities/0126647d-873a-46e7-9c9e-d023c7fea691 1
/communities/34310f22-81a0-4402-aae9-b678eb766b6a 1
/communities/34d97a60-b2fa-4698-81cc-0d839f0f567c 1
/communities/4f2eb171-8728-4d22-bd27-33aeb9d5ae0f 2
/communities/663a7aa4-fa3d-460b-9585-b31b5674e20a 1
/communities/79696ce9-39ed-4f67-80be-5948b848b1c8 1
/communities/7dc49154-f0b3-4902-9af3-71f8b27efad4 1
/communities/b3c7d2fc-c6c5-4878-ba4a-511a843c709c 1
/communities/dbef5fb5-3027-49d9-9bf0-0f2d44415146 3
/communities/e5098278-fff6-43dd-83b7-2d802d888f05 2
/communities/fe435281-084f-4ddf-ac9c-ad72081396ce 3
/community-list 1
/home 1
/info/end-user-agreement 1
/info/privacy 1
/items/0160ed5e-23f1-404c-a6c0-eff54fa186ea/full 15
/items/14bd319e-79ec-41a6-9b0b-75878b3710ee 1
/items/1c71b9fb-d855-43e1-a2af-6513c4aadb72 1
/items/22d2db70-e5da-4dda-ba49-831898db737c 1
/items/46ef5a91-dc55-47cf-8fc8-7940d3e0376b 1
/items/5fd00655-1f0a-4261-93de-42a1a06ef128 1
/items/65b7f719-d788-488a-90b7-8da0dad4a31e/full 1
/items/7103c7f2-5a5f-4392-92de-2e2bd194d522 1
/items/a28c20af-1b4f-4699-8aa7-219722ad2557 1
/items/a7e28886-ce18-4745-8500-ef09d7b62804 1
/items/b826e34a-2ba5-48ac-9ec3-4b28ffca855a 1
/items/c3ccd304-ae49-44e5-8d2a-36b928ca0b51/full 1
/items/cea61be5-8e79-4ab8-86d1-7f56852fe18a 1
/register 1
/reload/1727961770073 1
/search 8
/statistics 1
/statistics/collections/11ca30c5-3153-4bde-8f56-78e4551251a8 1
/statistics/items/0160ed5e-23f1-404c-a6c0-eff54fa186ea 1
/workflowitems
/browse/author 6
/browse/dateissued 4
/browse/subject 4
/browse/title 5
/collections/11ca30c5-3153-4bde-8f56-78e4551251a8 1
/collections/1f250178-77ff-405d-8327-b6cb9ca3bafb 1
/collections/42e829be-53e8-45a8-9759-84af2625af89 1
/collections/5393a442-fc8b-4e09-be62-12acb19a68c9 1
/collections/5bd4b23e-71c5-4d9d-826e-fcbc9d160818 1
/collections/629bb30f-43f8-4be8-acca-36681b1b01d0 1
/collections/665b93e7-38f3-4409-ace8-06465570392f 1
/collections/8a841561-4cc0-4853-b793-79fd64400fb5 1
/collections/f6b29dcc-f0a8-430f-b947-cdbe82436908 1
/communities/0126647d-873a-46e7-9c9e-d023c7fea691 1
/communities/34310f22-81a0-4402-aae9-b678eb766b6a 1
/communities/34d97a60-b2fa-4698-81cc-0d839f0f567c 1
/communities/4f2eb171-8728-4d22-bd27-33aeb9d5ae0f 2
/communities/663a7aa4-fa3d-460b-9585-b31b5674e20a 1
/communities/79696ce9-39ed-4f67-80be-5948b848b1c8 1
/communities/7dc49154-f0b3-4902-9af3-71f8b27efad4 1
/communities/b3c7d2fc-c6c5-4878-ba4a-511a843c709c 1
/communities/dbef5fb5-3027-49d9-9bf0-0f2d44415146 3
/communities/e5098278-fff6-43dd-83b7-2d802d888f05 2
/communities/fe435281-084f-4ddf-ac9c-ad72081396ce 3
/community-list 1
/home 1
/info/end-user-agreement 1
/info/privacy 1
/items/0160ed5e-23f1-404c-a6c0-eff54fa186ea/full 15
/items/14bd319e-79ec-41a6-9b0b-75878b3710ee 1
/items/1c71b9fb-d855-43e1-a2af-6513c4aadb72 1
/items/22d2db70-e5da-4dda-ba49-831898db737c 1
/items/46ef5a91-dc55-47cf-8fc8-7940d3e0376b 1
/items/5fd00655-1f0a-4261-93de-42a1a06ef128 1
/items/65b7f719-d788-488a-90b7-8da0dad4a31e/full 1
/items/7103c7f2-5a5f-4392-92de-2e2bd194d522 1
/items/a28c20af-1b4f-4699-8aa7-219722ad2557 1
/items/a7e28886-ce18-4745-8500-ef09d7b62804 1
/items/b826e34a-2ba5-48ac-9ec3-4b28ffca855a 1
/items/c3ccd304-ae49-44e5-8d2a-36b928ca0b51/full 1
/items/cea61be5-8e79-4ab8-86d1-7f56852fe18a 1
/register 1
/reload/1727961770073 1
/search 8
/statistics 1
/statistics/collections/11ca30c5-3153-4bde-8f56-78e4551251a8 1
/statistics/items/0160ed5e-23f1-404c-a6c0-eff54fa186ea 1
/workflowitems
After some research I don't find the way to prevent this alert from happening.
Can someone give some advice on this matter?
Thanks in advance.
DSpace Technical Support
Oct 28, 2024, 11:18:02 AM10/28/24
to DSpace Technical Support
Hi,
At a quick glance, this sounds a lot like a false positive. Angular itself has a lot of built-in protections against Javascript-style attacks (XSS, etc), and I'd be surprised if a SOME attack works on an Angular application (as it's essentially a "flavor" of XSS attack).
At a quick glance, this sounds a lot like a false positive. Angular itself has a lot of built-in protections against Javascript-style attacks (XSS, etc), and I'd be surprised if a SOME attack works on an Angular application (as it's essentially a "flavor" of XSS attack).
The details you've shared from this report are very vague. It doesn't show any real examples, and it seems to list almost every page in the application.
That said, if you can get more information from them about *how* to produce a SOME attack on a single page (like a proof of concept attack), then we can look into it in more detail. Please email any such details to secu...@dspace.org, so they that DSpace Committers are notified and can analyze the report.
Tim
HC
Oct 28, 2024, 3:12:04 PM10/28/24
to DSpace Technical Support
Hi Tim.
Thank you very much for your reply to this question.
I'll let them know this and will try to get more information, following your advice.
Hernán
Reply all
Reply to author
Forward
0 new messages