All,
A new DSpace 7 security advisory has been released.
CVE-2024-38364 : Cross Site Scripting (XSS) possible via a deposited HTML/XML document with embedded JavaScript
-
Severity: Low
-
Impacts versions 7.0 through 7.6.1 only (1.x - 6.x are not affected)
-
Fixed in 8.0 and 7.6.2 (coming soon)
-
Workarounds / patches are available for all 7.x releases (see linked advisory above for all the details)
We recommend that all DSpace 7.x sites immediately apply patches or upgrade.
Sites which allow for unmonitored submissions (i.e. allowing items to go public
without any workflow approval) are more likely to be vulnerable. The attacker
must already have submitter privileges in your DSpace repository. CORS and CSRF protections built into DSpace 7 help limit the impact of the attack.
If you have any questions about this security advisory, please email
secu...@dspace.org. This email address sends a private email to all DSpace Committers.
Sincerely,
Tim Donohue, on behalf of the DSpace Committers