CVE-2016-10726: High severity vulnerability that affects org.dspace:dspace-xmlui
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.55161%
CWE
Published
10/19/2018
Updated
1/9/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.dspace:dspace-xmlui | maven | >= 4.0, < 4.5 | 4.5 |
org.dspace:dspace-xmlui | maven | >= 5.0, < 5.5 | 5.5 |
org.dspace:dspace-xmlui | maven | < 3.6 | 3.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability involves improper path validation in XMLUI theme handling. Analysis of advisory details and DSpace architecture indicates ThemeServlet's resource serving mechanism would process the malicious themes/ path. The colon in the path suggests insufficient sanitization in path resolution logic. While exact patch details are unavailable, the theme handling components are the primary entry point for this attack vector. The high confidence for ThemeServlet comes from its role in serving theme resources, while Theme.getThemePath is a secondary candidate based on path resolution responsibilities.