CVE-2016-10726: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

October 19, 2018 (updated June 11, 2021)

The XMLUI feature in DSpace before 3.6, 4.x before 4.5, and 5.x before 5.5 allows directory traversal via the themes/ path in an attack with two or more arbitrary characters and a colon before a pathname, as demonstrated by a themes/Reference/aa:etc/passwd URI.

References

github.com/DSpace/DSpace/releases/tag/dspace-5.5
github.com/advisories/GHSA-4m9r-5gqp-7j82
nvd.nist.gov/vuln/detail/CVE-2016-10726

Detect and mitigate CVE-2016-10726 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →