SECURITY NOTICE: DSpace 7 sites are vulnerable to XSS attacks via deposited HTML/XML bitstreams (low severity)

48 views

Skip to first unread message

Tim Donohue

unread,

Jun 25, 2024, 9:41:19 AM (4 days ago) Jun 25

to DSpace Community, DSpace Technical Support, DSpace Developers

All,

A new DSpace 7 security advisory has been released.

CVE-2024-38364 : Cross Site Scripting (XSS) possible via a deposited HTML/XML document with embedded JavaScript

https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf

Severity: Low
Impacts versions 7.0 through 7.6.1 only (1.x - 6.x are not affected)
Fixed in 8.0 and 7.6.2 (coming soon)
Workarounds / patches are available for all 7.x releases (see linked advisory above for all the details)

We recommend that all DSpace 7.x sites immediately apply patches or upgrade. Sites which allow for unmonitored submissions (i.e. allowing items to go public without any workflow approval) are more likely to be vulnerable. The attacker must already have submitter privileges in your DSpace repository. CORS and CSRF protections built into DSpace 7 help limit the impact of the attack.

If you have any questions about this security advisory, please email secu...@dspace.org. This email address sends a private email to all DSpace Committers.

Sincerely,

Tim Donohue, on behalf of the DSpace Committers

Tim Donohue (he/him)

Technical Lead, DSpace

tim.d...@lyrasis.org

Lyrasis.org | DSpace.org

Reply all

Reply to author

Forward

0 new messages