All, A new DSpace 7 security advisory has been released.
CVE-2024-38364 : Cross Site Scripting (XSS) possible via a deposited HTML/XML document with embedded JavaScript https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf * Severity: Low * Impacts versions 7.0 through 7.6.1 only (1.x - 6.x are not affected) * Fixed in 8.0 and 7.6.2 (coming soon) * Workarounds / patches are available for all 7.x releases (see linked advisory above for all the details) We recommend that all DSpace 7.x sites immediately apply patches or upgrade. Sites which allow for unmonitored submissions (i.e. allowing items to go public without any workflow approval) are more likely to be vulnerable. The attacker must already have submitter privileges in your DSpace repository. CORS and CSRF protections built into DSpace 7 help limit the impact of the attack. If you have any questions about this security advisory, please email secur...@dspace.org. This email address sends a private email to all DSpace Committers. Sincerely, Tim Donohue, on behalf of the DSpace Committers -- Tim Donohue (he/him) Technical Lead, DSpace tim.dono...@lyrasis.org Lyrasis.org<https://www.lyrasis.org/> | DSpace.org<http://dspace.org> [Lyrasis logo] -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-devel/CH3PR22MB55480FEE676ABCB71E86BE06EDD42%40CH3PR22MB5548.namprd22.prod.outlook.com.