SECURITY NOTICE: DSpace 7 sites are vulnerable to XSS attacks via deposited HTML/XML bitstreams (low severity)
37 views
Skip to first unread message
Tim Donohue
Jun 25, 2024, 9:41:20 AM (9 days ago) Jun 25
to DSpace Community, DSpace Technical Support, DSpace Developers
All,
A new DSpace 7 security advisory has been released.
CVE-2024-38364 : Cross Site Scripting (XSS) possible via a deposited HTML/XML document with embedded JavaScript
-
Severity: Low
-
Impacts versions 7.0 through 7.6.1 only (1.x - 6.x are not affected)
-
Fixed in 8.0 and 7.6.2 (coming soon)
-
Workarounds / patches are available for all 7.x releases (see linked advisory above for all the details)
We recommend that all DSpace 7.x sites immediately apply patches or upgrade.
Sites which allow for unmonitored submissions (i.e. allowing items to go public
without any workflow approval) are more likely to be vulnerable. The attacker
must already have submitter privileges in your DSpace repository. CORS and CSRF protections built into DSpace 7 help limit the impact of the attack.
If you have any questions about this security advisory, please email secu...@dspace.org. This email address sends a private email to all DSpace Committers.
Sincerely,
Tim Donohue, on behalf of the DSpace Committers
Priscilla Carmini
Jul 3, 2024, 1:14:23 PM (19 hours ago) Jul 3
to DSpace Community
Hi Tim,
Is there a timeline for the release of 7.6.2? My institution is looking to upgrade to 7.6, but we would prefer to migrate to a secure version of DSpace.
Kind regards,
Priscilla
DSpace Community
Jul 3, 2024, 3:40:56 PM (17 hours ago) Jul 3
to DSpace Community
Hi Priscilla,
DSpace 7.6.2 is nearly finished and is likely to arrive in about one week's time (assuming all goes as planned). Keep an eye out for the release announcement on or around July 10th.
DSpace 7.6.2 is nearly finished and is likely to arrive in about one week's time (assuming all goes as planned). Keep an eye out for the release announcement on or around July 10th.
Tim
Priscilla Carmini
Jul 3, 2024, 4:18:58 PM (16 hours ago) Jul 3
to DSpace Community
Thanks, Tim! I'll keep an eye out for the announcement.
Priscilla
--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-communi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/671730e3-7a0f-45ff-943a-2b3006c3cf4fn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages