Page History
...
Major bug fixes include:
- XMLUI security fixes:
- [HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
- Reported by Virginia Tech
- Reported by Virginia Tech
- [HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
- JSPUI security fixes:
- [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA account to access.)
- Reported by CINECA
- Reported by CINECA
- [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA account to access.)
- REST fixes
- OAI fixes
- Configuration Fixes
- Other minor fixes
- Broken SQL query in Item.findByMetadataFieldAuthority API method (DS-2517)
- Mirage2:
- Ensured printing the item page from doesn't include bitstream URLs (DS-2893)
- Broken SQL query in Item.findByMetadataFieldAuthority API method (DS-2517)
...
Overview
Content Tools