Miggo Logo

CVE-2016-10726: High severity vulnerability that affects org.dspace:dspace-xmlui

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.55161%
Published
10/19/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.dspace:dspace-xmluimaven>= 4.0, < 4.54.5
org.dspace:dspace-xmluimaven>= 5.0, < 5.55.5
org.dspace:dspace-xmluimaven< 3.63.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves improper path validation in XMLUI theme handling. Analysis of advisory details and DSpace architecture indicates ThemeServlet's resource serving mechanism would process the malicious themes/ path. The colon in the path suggests insufficient sanitization in path resolution logic. While exact patch details are unavailable, the theme handling components are the primary entry point for this attack vector. The high confidence for ThemeServlet comes from its role in serving theme resources, while Theme.getThemePath is a secondary candidate based on path resolution responsibilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** XMLUI ***tur* in *Sp*** ***or* *.*, *.x ***or* *.*, *n* *.x ***or* *.* *llows *ir**tory tr*v*rs*l vi* t** t**m*s/ p*t* in *n *tt**k wit* two or mor* *r*itr*ry ***r**t*rs *n* * *olon ***or* * p*t*n*m*, *s **monstr*t** *y * t**m*s/R***r*n**/**:*t*/

Reasoning

T** vuln*r**ility involv*s improp*r p*t* v*li**tion in XMLUI t**m* **n*lin*. *n*lysis o* **visory **t*ils *n* *Sp*** *r**it**tur* in*i**t*s T**m*S*rvl*t's r*sour** s*rvin* m****nism woul* pro**ss t** m*li*ious t**m*s/ p*t*. T** *olon in t** p*t* su**