...
This release addresses the following security issues discovered in DSpace 4.x and below:
...
- [MEDIUM SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
JSPUI, XMLUI, REST security fixfixes:- JSPUI and XMLUIHIGH
- MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in pdfbox. (DS-3309 - requires a JIRA account to access)
issue - ticket was actually fixed in an earlier, unannounced 4.6 release, but it is also included in 4.7)
- JSPUI, XMLUI and REST
Bitstreams - Bitstreams of embargoed and/or withdrawn items can be accessed by
anyone - anyone. (DS-3097 - requires a JIRA account to access)
- Reported by Franziska Ackermann
- JSPUI security fix:
- [HIGH SEVERITY] Any registered user can modify inprogress submission. (DS-2895 - requires a JIRA account to access)
In addition, this release fixes minor bugs in the 4.x releases. For more information, see the Changes in 4.x page.
...