Search criteria
168 vulnerabilities found for dotcms by dotcms
FKIE_CVE-2024-3938
Vulnerability from fkie_nvd - Published: 2024-07-25 22:15 - Updated: 2024-11-21 09:30
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The "reset password" login page accepted an HTML injection via URL parameters.
This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E
This will result in a view along these lines:
* OWASP Top 10 - A03: Injection
* CVSS Score: 5.4
* AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
* https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
References
| URL | Tags | ||
|---|---|---|---|
| security@dotcms.com | https://www.dotcms.com/security/SI-71 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.dotcms.com/security/SI-71 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dotcms | dotcms | * | |
| dotcms | dotcms | * | |
| dotcms | dotcms | * | |
| dotcms | dotcms | * | |
| dotcms | dotcms | 23.10.24 | |
| dotcms | dotcms | 23.10.24 | |
| dotcms | dotcms | 23.10.24 | |
| dotcms | dotcms | 23.10.24 | |
| dotcms | dotcms | 23.10.24 | |
| dotcms | dotcms | 23.10.24 | |
| dotcms | dotcms | 23.10.24 | |
| dotcms | dotcms | 23.10.24 | |
| dotcms | dotcms | 23.10.24 | |
| dotcms | dotcms | 23.10.24 | |
| dotcms | dotcms | 23.10.24.0 | |
| dotcms | dotcms | 24.04.24 | |
| dotcms | dotcms | 24.04.24 | |
| dotcms | dotcms | 24.04.24 | |
| dotcms | dotcms | 24.04.24 | |
| dotcms | dotcms | 24.04.24 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D8CDD8C-0F92-4218-ACDB-C3E691F928AF",
"versionEndExcluding": "23.01.18",
"versionStartIncluding": "5.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E85B4224-34E8-47CD-8F08-8B129868AF1F",
"versionEndIncluding": "23.09.7",
"versionStartIncluding": "23.02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A6601A2-B008-44C9-A7C4-1DB2D613BD14",
"versionEndIncluding": "24.04.23",
"versionStartIncluding": "23.12.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "379748A4-D76F-4402-9A4F-E509C6735285",
"versionEndExcluding": "24.05.31",
"versionStartIncluding": "24.05.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:1:*:*:lts:*:*:*",
"matchCriteriaId": "33DBCA2A-D4E2-4AE6-B6E0-FD0A277266F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:10:*:*:lts:*:*:*",
"matchCriteriaId": "DECC3919-5044-41AF-9AAA-A964027F51C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:2:*:*:lts:*:*:*",
"matchCriteriaId": "342C11DD-7760-42AE-8670-4461ECB51E4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:3:*:*:lts:*:*:*",
"matchCriteriaId": "90B73A81-7202-4B0B-822B-4F2EE4480663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:4:*:*:lts:*:*:*",
"matchCriteriaId": "0BFA7220-B846-451B-A7B2-C3DC87767575",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:5:*:*:lts:*:*:*",
"matchCriteriaId": "258813CA-66A7-4DCA-883D-884FB88430DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:6:*:*:lts:*:*:*",
"matchCriteriaId": "E69C8B72-A38C-4D97-83BB-DCE392D3ABD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:7:*:*:lts:*:*:*",
"matchCriteriaId": "B5309F19-2D65-4E87-87FD-2A0294008FF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:8:*:*:lts:*:*:*",
"matchCriteriaId": "CBAEE45C-234C-4E5C-86CF-4F71A457D6F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:9:*:*:lts:*:*:*",
"matchCriteriaId": "FD553D7C-158F-489D-8C4C-8E2E056D52BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24.0:*:*:*:lts:*:*:*",
"matchCriteriaId": "9692C9DB-6111-4EE6-8DE8-1614DF87F365",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:24.04.24:-:*:*:*:*:*:*",
"matchCriteriaId": "EB1AD7A4-1F60-493C-8BB2-E13F44F3CCD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:24.04.24:0:*:*:lts:*:*:*",
"matchCriteriaId": "EE62FB6F-DB41-47B4-B8F7-0B9C887781D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:24.04.24:1:*:*:lts:*:*:*",
"matchCriteriaId": "395197BB-2613-43BA-9223-195461F993D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:24.04.24:2:*:*:lts:*:*:*",
"matchCriteriaId": "72350E82-5B73-41A9-B3F1-8CA7BF389897",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:24.04.24:3:*:*:lts:*:*:*",
"matchCriteriaId": "478A668F-DD76-4C0C-A444-A760C1AA5623",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The \"reset password\" login page accepted an HTML injection via URL parameters.\n\nThis has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true\u0026resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E \n\nThis will result in a view along these lines:\n\n\n\n\n\n * OWASP Top 10 - A03: Injection\n * CVSS Score: 5.4\n * AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator \n * https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\u0026... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator"
},
{
"lang": "es",
"value": "La p\u00e1gina de inicio de sesi\u00f3n \"reset password\" acept\u00f3 una inyecci\u00f3n de HTML a trav\u00e9s de par\u00e1metros de URL. Esto ya se ha rectificado mediante un parche y, como tal, no se puede demostrar mediante el enlace del sitio de demostraci\u00f3n. Aquellos interesados en ver la vulnerabilidad pueden activar un http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true\u0026amp;resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com% 22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E Esto dar\u00e1 como resultado una vista similar a estas l\u00edneas: * OWASP Top 10 - A03: Inyecci\u00f3n * Puntuaci\u00f3n CVSS: 5,4 * AV:N/AC:L/PR :N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator * https://nvd.nist. gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\u0026amp;... https: //nvd.nist.gov/vuln-metrics/cvss/v3-calculator"
}
],
"id": "CVE-2024-3938",
"lastModified": "2024-11-21T09:30:44.540",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@dotcms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-25T22:15:08.903",
"references": [
{
"source": "security@dotcms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-71"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-71"
}
],
"sourceIdentifier": "security@dotcms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@dotcms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-3165
Vulnerability from fkie_nvd - Published: 2024-04-01 22:15 - Updated: 2025-06-27 14:06
Severity ?
Summary
System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.
OWASP Top 10 - A05) Insecure Design
OWASP Top 10 - A05) Security Misconfiguration
OWASP Top 10 - A09) Security Logging and Monitoring Failure
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B8156D65-B011-4B9A-BF2E-F7F3CCFA8BD7",
"versionEndExcluding": "22.03.15",
"versionStartIncluding": "22.02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4513A2EB-037F-4037-B4F7-44B8AECB407A",
"versionEndExcluding": "23.01.15",
"versionStartIncluding": "23.01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E85B4224-34E8-47CD-8F08-8B129868AF1F",
"versionEndIncluding": "23.09.7",
"versionStartIncluding": "23.02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:1:*:*:lts:*:*:*",
"matchCriteriaId": "33DBCA2A-D4E2-4AE6-B6E0-FD0A277266F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:2:*:*:lts:*:*:*",
"matchCriteriaId": "342C11DD-7760-42AE-8670-4461ECB51E4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:3:*:*:lts:*:*:*",
"matchCriteriaId": "90B73A81-7202-4B0B-822B-4F2EE4480663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:4:*:*:lts:*:*:*",
"matchCriteriaId": "0BFA7220-B846-451B-A7B2-C3DC87767575",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:5:*:*:lts:*:*:*",
"matchCriteriaId": "258813CA-66A7-4DCA-883D-884FB88430DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:6:*:*:lts:*:*:*",
"matchCriteriaId": "E69C8B72-A38C-4D97-83BB-DCE392D3ABD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:7:*:*:lts:*:*:*",
"matchCriteriaId": "B5309F19-2D65-4E87-87FD-2A0294008FF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "System-\u003eMaintenance-\u003e Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. \u00a0\n\nOWASP Top 10 - A05) Insecure Design\n\nOWASP Top 10 - A05) Security Misconfiguration\n\nOWASP Top 10 - A09) Security Logging and Monitoring Failure"
},
{
"lang": "es",
"value": "System-\u0026gt;Maintenance-\u0026gt; Log Files en el panel de dotCMS proporciona el nombre de usuario/contrase\u00f1a para las conexiones de la base de datos en la salida del registro. Sin embargo, este es un problema moderado, ya que requiere un administrador de backend y que las bases de datos est\u00e9n bloqueadas por el entorno. OWASP Top 10 - A05) Dise\u00f1o inseguro OWASP Top 10 - A05) Configuraci\u00f3n incorrecta de seguridad OWASP Top 10 - A09) Fallo de registro y monitoreo de seguridad"
}
],
"id": "CVE-2024-3165",
"lastModified": "2025-06-27T14:06:33.077",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "security@dotcms.com",
"type": "Secondary"
}
]
},
"published": "2024-04-01T22:15:23.080",
"references": [
{
"source": "security@dotcms.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/dotCMS/core/issues/27910"
},
{
"source": "security@dotcms.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/dotCMS/core/pull/28006"
},
{
"source": "security@dotcms.com",
"tags": [
"Broken Link"
],
"url": "https://www.dotcms.com/security/SI-70"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/dotCMS/core/issues/27910"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/dotCMS/core/pull/28006"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://www.dotcms.com/security/SI-70"
}
],
"sourceIdentifier": "security@dotcms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "security@dotcms.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-3164
Vulnerability from fkie_nvd - Published: 2024-04-01 22:15 - Updated: 2025-06-27 14:06
Severity ?
Summary
In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance → Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System → Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance.
OWASP Top 10 - A01) Broken Access Control
OWASP Top 10 - A04) Insecure Design
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B8156D65-B011-4B9A-BF2E-F7F3CCFA8BD7",
"versionEndExcluding": "22.03.15",
"versionStartIncluding": "22.02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4513A2EB-037F-4037-B4F7-44B8AECB407A",
"versionEndExcluding": "23.01.15",
"versionStartIncluding": "23.01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E85B4224-34E8-47CD-8F08-8B129868AF1F",
"versionEndIncluding": "23.09.7",
"versionStartIncluding": "23.02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:1:*:*:lts:*:*:*",
"matchCriteriaId": "33DBCA2A-D4E2-4AE6-B6E0-FD0A277266F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:2:*:*:lts:*:*:*",
"matchCriteriaId": "342C11DD-7760-42AE-8670-4461ECB51E4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:3:*:*:lts:*:*:*",
"matchCriteriaId": "90B73A81-7202-4B0B-822B-4F2EE4480663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:4:*:*:lts:*:*:*",
"matchCriteriaId": "0BFA7220-B846-451B-A7B2-C3DC87767575",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:5:*:*:lts:*:*:*",
"matchCriteriaId": "258813CA-66A7-4DCA-883D-884FB88430DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:6:*:*:lts:*:*:*",
"matchCriteriaId": "E69C8B72-A38C-4D97-83BB-DCE392D3ABD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:7:*:*:lts:*:*:*",
"matchCriteriaId": "B5309F19-2D65-4E87-87FD-2A0294008FF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In dotCMS dashboard, the Tools and Log Files tabs under System \u2192 Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance \u2192 Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System \u2192 Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance.\n\nOWASP Top 10 - A01) Broken Access Control\n\nOWASP Top 10 - A04) Insecure Design"
},
{
"lang": "es",
"value": "En el panel de dotCMS, las pesta\u00f1as Tools y Log Files en System-\u0026gt;Maintenance-\u0026gt; Log Files, que es y siempre ha sido un portlet de administraci\u00f3n, son accesibles para cualquier persona con ese portlet y no solo para los administradores de CMS. Los usuarios que obtienen un administrador del sitio pero no un administrador del sistema no deber\u00edan tener acceso al portlet System Maintenance ? Tools. Esto compartir\u00eda el nombre de usuario y la contrase\u00f1a de la base de datos en Archivos de registro y descargar\u00eda DB Dump y otro contenido de dotCMS en Herramientas. No se debe mostrar nada en System ? Maintenance para los usuarios con funci\u00f3n de administrador del sitio. S\u00f3lo los administradores del sistema deben tener acceso al Mantenimiento del sistema. OWASP Top 10 - A01) Control de acceso roto OWASP Top 10 - A04) Dise\u00f1o inseguro"
}
],
"id": "CVE-2024-3164",
"lastModified": "2025-06-27T14:06:30.103",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "security@dotcms.com",
"type": "Secondary"
}
]
},
"published": "2024-04-01T22:15:22.507",
"references": [
{
"source": "security@dotcms.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/dotCMS/core/issues/27909"
},
{
"source": "security@dotcms.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/dotCMS/core/pull/27912"
},
{
"source": "security@dotcms.com",
"tags": [
"Broken Link"
],
"url": "https://www.dotcms.com/security/SI-69"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/dotCMS/core/issues/27909"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/dotCMS/core/pull/27912"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://www.dotcms.com/security/SI-69"
}
],
"sourceIdentifier": "security@dotcms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@dotcms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-3042
Vulnerability from fkie_nvd - Published: 2023-10-17 23:15 - Updated: 2024-11-21 08:16
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't.
The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .
To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.
Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings.
Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.
Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+
References
| URL | Tags | ||
|---|---|---|---|
| security@dotcms.com | https://www.dotcms.com/security/SI-68 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.dotcms.com/security/SI-68 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dotcms:dotcms:5.3.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1B26B5D7-CE8E-4908-8D46-A78B1A4245BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:21.06:*:*:*:*:*:*:*",
"matchCriteriaId": "98D4378C-DEAC-44C1-89D1-A4846450E153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:22.03:*:*:*:*:*:*:*",
"matchCriteriaId": "5FC8E88E-4C9A-4FE9-A3B6-2A5707323F1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.01:*:*:*:*:*:*:*",
"matchCriteriaId": "D68AC1E5-1756-4838-8BE5-78B2F1435A6C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn\u0027t. \n\nThe oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .\u00a0\n\nTo mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.\n\nSpecifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. \n\nAdditionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.\n\nFix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+"
},
{
"lang": "es",
"value": "En dotCMS, versiones mencionadas, una falla en NormalizationFilter no elimina las barras dobles (//) de las URL, lo que potencialmente permite omitir XSS y controles de acceso. Un ejemplo de URL afectada es https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp, que deber\u00eda devolver una respuesta 404 pero no lo hizo. La supervisi\u00f3n de la lista predeterminada de caracteres de URL no v\u00e1lidos se puede ver en el enlace proporcionado de GitHub https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java #L37. Para mitigar, los usuarios pueden bloquear las URL con barras dobles en los firewalls o utilizar variables de configuraci\u00f3n de dotCMS. Espec\u00edficamente, pueden usar la variable ambiental DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS para agregar // a la lista de cadenas no v\u00e1lidas. Adem\u00e1s, la variable DOT_URI_NORMALIZATION_FORBIDDEN_REGEX ofrece un control m\u00e1s detallado, por ejemplo, para bloquear URL //html.*. Versi\u00f3n reparada: 23.06+, LTS 22.03.7+, LTS 23.01.4+"
}
],
"id": "CVE-2023-3042",
"lastModified": "2024-11-21T08:16:18.480",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@dotcms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-17T23:15:11.920",
"references": [
{
"source": "security@dotcms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-68"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-68"
}
],
"sourceIdentifier": "security@dotcms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@dotcms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-37034
Vulnerability from fkie_nvd - Published: 2023-02-01 23:15 - Updated: 2025-03-27 17:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://www.dotcms.com/security/SI-65 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.dotcms.com/security/SI-65 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "892E1ADB-4F41-49A1-8152-405738916E9C",
"versionEndExcluding": "21.06.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:-:*:*:*",
"matchCriteriaId": "1A2C78AF-6ED1-46C8-AFE7-4D08092CB2B4",
"versionEndExcluding": "22.10",
"versionStartIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "D8693CFE-4DD4-48D1-9F8F-659082CF6B4F",
"versionEndExcluding": "22.03.4",
"versionStartIncluding": "22.03",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests."
}
],
"id": "CVE-2022-37034",
"lastModified": "2025-03-27T17:15:37.643",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-02-01T23:15:09.337",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-65"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-65"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-674"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-674"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-45782
Vulnerability from fkie_nvd - Published: 2023-02-01 22:15 - Updated: 2025-03-27 17:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://www.dotcms.com/security/SI-66 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.dotcms.com/security/SI-66 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB1EB5AD-7171-44EE-8A41-D426BF0A8CCA",
"versionEndIncluding": "5.3.8.15",
"versionStartIncluding": "5.3.8.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F42F1B65-D672-4F38-8643-B26B40D73D36",
"versionEndIncluding": "21.10.1",
"versionStartIncluding": "21.03",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover."
}
],
"id": "CVE-2022-45782",
"lastModified": "2025-03-27T17:15:37.873",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-02-01T22:15:08.807",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-66"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-66"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-338"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-338"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-45783
Vulnerability from fkie_nvd - Published: 2023-02-01 22:15 - Updated: 2025-03-27 17:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
6.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
6.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Summary
An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://www.dotcms.com/security/SI-67 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.dotcms.com/security/SI-67 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "120DC132-15B4-4779-858C-3451CB3BE2BF",
"versionEndIncluding": "22.10.1",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution."
}
],
"id": "CVE-2022-45783",
"lastModified": "2025-03-27T17:15:38.107",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-02-01T22:15:08.867",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-67"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-67"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-37033
Vulnerability from fkie_nvd - Published: 2023-02-01 22:15 - Updated: 2025-03-27 17:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://www.dotcms.com/security/SI-64 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.dotcms.com/security/SI-64 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "892E1ADB-4F41-49A1-8152-405738916E9C",
"versionEndExcluding": "21.06.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:-:*:*:*",
"matchCriteriaId": "0515BE47-1F05-404E-ABEE-10A3FF6C0515",
"versionEndExcluding": "22.08",
"versionStartIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "D8693CFE-4DD4-48D1-9F8F-659082CF6B4F",
"versionEndExcluding": "22.03.4",
"versionStartIncluding": "22.03",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely."
}
],
"id": "CVE-2022-37033",
"lastModified": "2025-03-27T17:15:37.370",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-02-01T22:15:08.613",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-64"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-64"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-35740
Vulnerability from fkie_nvd - Published: 2022-11-10 21:15 - Updated: 2025-05-01 14:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks, including those used by Spring or Tomcat, allow the use of matrix parameters: these are URI parameters separated by semicolons. Through precise semicolon placement in a URI, it is possible to exploit this feature to avoid dotCMS's path-based XSS prevention (such as "require login" filters), and consequently access restricted resources. For example, an attacker could place a semicolon immediately before a / character that separates elements of a filesystem path. This could reveal file content that is ordinarily only visible to signed-in users. This issue can be chained with other exploit code to achieve XSS attacks against dotCMS.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/dotCMS/patches-hotfixes/tree/master/com.dotcms.security.matrixparams | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.dotcms.com/security/SI-63 | Exploit, Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/dotCMS/patches-hotfixes/tree/master/com.dotcms.security.matrixparams | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.dotcms.com/security/SI-63 | Exploit, Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "AF4F4D8E-0270-4FFB-BD5F-B654C4D2E8D8",
"versionEndExcluding": "5.3.8.12",
"versionStartIncluding": "5.3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "FC366033-F8CF-4490-9ED5-B61175A05A04",
"versionEndExcluding": "21.06.9",
"versionStartIncluding": "21.06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "04FF0C01-D5D3-4F4E-90B7-01C2B061D96D",
"versionEndExcluding": "22.06",
"versionStartIncluding": "22.01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "B1FE64DC-D25A-4C34-B174-0B92225E0851",
"versionEndExcluding": "22.03.2",
"versionStartIncluding": "22.03",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks, including those used by Spring or Tomcat, allow the use of matrix parameters: these are URI parameters separated by semicolons. Through precise semicolon placement in a URI, it is possible to exploit this feature to avoid dotCMS\u0027s path-based XSS prevention (such as \"require login\" filters), and consequently access restricted resources. For example, an attacker could place a semicolon immediately before a / character that separates elements of a filesystem path. This could reveal file content that is ordinarily only visible to signed-in users. This issue can be chained with other exploit code to achieve XSS attacks against dotCMS."
},
{
"lang": "es",
"value": "dotCMS anterior a 22.06 permite a atacantes remotos omitir el control de acceso previsto y obtener informaci\u00f3n confidencial utilizando un punto y coma en una URL para introducir un par\u00e1metro de matriz. (Esto tambi\u00e9n se corrigi\u00f3 en 5.3.8.12, 21.06.9 y 22.03.2 para usuarios de LTS). Algunos frameworks de aplicaciones Java, incluidos los utilizados por Spring o Tomcat, permiten el uso de par\u00e1metros matriciales: estos son par\u00e1metros URI separados por punto y coma. Mediante la colocaci\u00f3n precisa de punto y coma en un URI, es posible explotar esta caracter\u00edstica para evitar la prevenci\u00f3n XSS basada en rutas de dotCMS (como los filtros \"requerir inicio de sesi\u00f3n\") y, en consecuencia, acceder a recursos restringidos. Por ejemplo, un atacante podr\u00eda colocar un punto y coma inmediatamente antes del car\u00e1cter / que separa los elementos de una ruta del sistema de archivos. Esto podr\u00eda revelar contenido del archivo que normalmente solo es visible para los usuarios que han iniciado sesi\u00f3n. Este problema se puede encadenar con otro c\u00f3digo de explotaci\u00f3n para lograr ataques XSS contra dotCMS."
}
],
"id": "CVE-2022-35740",
"lastModified": "2025-05-01T14:15:25.520",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-10T21:15:10.230",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/dotCMS/patches-hotfixes/tree/master/com.dotcms.security.matrixparams"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-63"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/dotCMS/patches-hotfixes/tree/master/com.dotcms.security.matrixparams"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.dotcms.com/security/SI-63"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-37431
Vulnerability from fkie_nvd - Published: 2022-08-05 06:15 - Updated: 2024-11-21 07:14
Severity ?
Summary
A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTION_ENABLED=true in all configurations
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://fortiguard.fortinet.com/zeroday/FG-VD-22-062 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fortiguard.fortinet.com/zeroday/FG-VD-22-062 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CCBBE18-A764-4EC8-92AA-EB5B115BD7B7",
"versionEndIncluding": "22.06",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTION_ENABLED=true in all configurations"
},
{
"lang": "es",
"value": "** EN DISPUTA ** Se ha detectado un problema de tipo Cross-site scripting (XSS) Reflejado en dotCMS Core versiones hasta 22.06. Esto ocurre en el portal de administraci\u00f3n cuando la configuraci\u00f3n presenta XSS_PROTECTION_ENABLED=false. NOTA: el proveedor discute esto porque el comportamiento actual del producto, en efecto, tiene XSS_PROTECTION_ENABLED=true en todas las configuraciones"
}
],
"id": "CVE-2022-37431",
"lastModified": "2024-11-21T07:14:58.917",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-05T06:15:08.723",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://fortiguard.fortinet.com/zeroday/FG-VD-22-062"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://fortiguard.fortinet.com/zeroday/FG-VD-22-062"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-3938 (GCVE-0-2024-3938)
Vulnerability from cvelistv5 – Published: 2024-07-25 21:17 – Updated: 2024-08-01 20:26
VLAI?
Summary
The "reset password" login page accepted an HTML injection via URL parameters.
This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E
This will result in a view along these lines:
* OWASP Top 10 - A03: Injection
* CVSS Score: 5.4
* AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
* https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Severity ?
5.4 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dotCMS | dotCMS core |
Affected:
5.1.5 and after
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3938",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T17:33:18.822280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:33:25.468Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:26:57.098Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-71"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "dotCMS core",
"vendor": "dotCMS",
"versions": [
{
"status": "affected",
"version": "5.1.5 and after"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe \"reset password\" login page accepted an HTML injection via URL parameters.\u003c/p\u003e\u003cp\u003eThis has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.dotcms.com/docs/latest/previous-releases\"\u003epast docker image\u003c/a\u003e\u0026nbsp;(prior to dotCMS 24.05.31) and use a link in the following fashion to on their local instance: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true\u0026amp;resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E\"\u003ehttp://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true\u0026amp;resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E\u003c/a\u003e\u003c/p\u003e\u003cp\u003eThis will result in a view along these lines:\u003cbr\u003e\u003cimg alt=\"Screenshot 2024-07-25 at 121846PMpng\" src=\"https://auth.dotcms.com/dA/3555fb4020/Screenshot%202024-07-25%20at%2012.18.46PM.png?language_id=1\"\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOWASP Top 10 - A03: Injection\u003c/li\u003e\u003cli\u003eCVSS Score: 5.4\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\u0026amp;version=3.1\"\u003eAV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\u0026amp;version=3.1\"\u003ehttps://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\u0026amp;...\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "The \"reset password\" login page accepted an HTML injection via URL parameters.\n\nThis has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true\u0026resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E \n\nThis will result in a view along these lines:\n\n\n\n\n\n * OWASP Top 10 - A03: Injection\n * CVSS Score: 5.4\n * AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator \n * https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\u0026... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator"
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T13:09:31.162Z",
"orgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"shortName": "dotCMS"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-71"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"assignerShortName": "dotCMS",
"cveId": "CVE-2024-3938",
"datePublished": "2024-07-25T21:17:49.359Z",
"dateReserved": "2024-04-17T19:20:07.143Z",
"dateUpdated": "2024-08-01T20:26:57.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3165 (GCVE-0-2024-3165)
Vulnerability from cvelistv5 – Published: 2024-04-01 21:38 – Updated: 2024-09-30 15:27
VLAI?
Summary
System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.
OWASP Top 10 - A05) Insecure Design
OWASP Top 10 - A05) Security Misconfiguration
OWASP Top 10 - A09) Security Logging and Monitoring Failure
Severity ?
4.5 (Medium)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dotCMS | dotCMS core |
Affected:
22.02 and after
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:07.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-70"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dotCMS/core/issues/27910"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dotCMS/core/pull/28006"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dotcms",
"vendor": "dotcms",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "22.02",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T15:07:00.832616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T15:35:24.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "dotCMS core",
"vendor": "dotCMS",
"versions": [
{
"status": "affected",
"version": "22.02 and after"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSystem-\u0026gt;Maintenance-\u0026gt; Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. \u0026nbsp;\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eOWASP Top 10 - A05) Insecure Design\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eOWASP Top 10 - A05) Security Misconfiguration\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eOWASP Top 10 - A09) Security Logging and Monitoring Failure\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "System-\u003eMaintenance-\u003e Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. \u00a0\n\nOWASP Top 10 - A05) Insecure Design\n\nOWASP Top 10 - A05) Security Misconfiguration\n\nOWASP Top 10 - A09) Security Logging and Monitoring Failure"
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:27:54.804Z",
"orgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"shortName": "dotCMS"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-70"
},
{
"url": "https://github.com/dotCMS/core/issues/27910"
},
{
"url": "https://github.com/dotCMS/core/pull/28006"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Database Credential Exposure in the Logs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"assignerShortName": "dotCMS",
"cveId": "CVE-2024-3165",
"datePublished": "2024-04-01T21:38:04.085Z",
"dateReserved": "2024-04-01T21:31:06.377Z",
"dateUpdated": "2024-09-30T15:27:54.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3164 (GCVE-0-2024-3164)
Vulnerability from cvelistv5 – Published: 2024-04-01 21:27 – Updated: 2024-09-30 15:30
VLAI?
Summary
In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance → Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System → Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance.
OWASP Top 10 - A01) Broken Access Control
OWASP Top 10 - A04) Insecure Design
Severity ?
4.5 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dotCMS | dotCMS core |
Affected:
22.02 and after
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dotcms:dotcms:22.02:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "dotcms",
"vendor": "dotcms",
"versions": [
{
"status": "affected",
"version": "22.02"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T20:19:19.811850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T20:23:37.174Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:08.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-69"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dotCMS/core/pull/27912"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dotCMS/core/issues/27909"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "dotCMS core",
"vendor": "dotCMS",
"versions": [
{
"status": "affected",
"version": "22.02 and after"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eIn dotCMS dashboard, the Tools and Log Files tabs under System \u2192 Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance \u2192 Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System \u2192 Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eOWASP Top 10 - A01) Broken Access Control\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eOWASP Top 10 - A04) Insecure Design\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e"
}
],
"value": "In dotCMS dashboard, the Tools and Log Files tabs under System \u2192 Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance \u2192 Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System \u2192 Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance.\n\nOWASP Top 10 - A01) Broken Access Control\n\nOWASP Top 10 - A04) Insecure Design"
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:30:31.887Z",
"orgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"shortName": "dotCMS"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-69"
},
{
"url": "https://github.com/dotCMS/core/pull/27912"
},
{
"url": "https://github.com/dotCMS/core/issues/27909"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"assignerShortName": "dotCMS",
"cveId": "CVE-2024-3164",
"datePublished": "2024-04-01T21:27:51.580Z",
"dateReserved": "2024-04-01T21:21:28.290Z",
"dateUpdated": "2024-09-30T15:30:31.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3042 (GCVE-0-2023-3042)
Vulnerability from cvelistv5 – Published: 2023-10-17 22:52 – Updated: 2025-06-12 15:05
VLAI?
Summary
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't.
The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .
To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.
Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings.
Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.
Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+
Severity ?
5.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dotCMS | dotCMS core |
Affected:
5.3.8
Affected: 21.06 Affected: 22.03 Affected: 23.01 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:04.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-68"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-12T15:05:05.713927Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T15:05:44.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "dotCMS core",
"vendor": "dotCMS",
"versions": [
{
"status": "affected",
"version": "5.3.8"
},
{
"status": "affected",
"version": "21.06"
},
{
"status": "affected",
"version": "22.03"
},
{
"status": "affected",
"version": "23.01"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp\"\u003ehttps://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp\u003c/a\u003e, which should return a 404 response but didn\u0027t. \u003cbr\u003e\u003cbr\u003eThe oversight in the default invalid URL character list can be viewed at the provided \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37\"\u003eGitHub link\u003c/a\u003e.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eTo mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.\u003cbr\u003e\u003cbr\u003eSpecifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. \u003cbr\u003e\u003cbr\u003eAdditionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.\u003cbr\u003e\u003cbr\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003cth\u003eFix Version:\u003c/th\u003e\u003ctd\u003e23.06+, LTS 22.03.7+, LTS 23.01.4+\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
}
],
"value": "In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn\u0027t. \n\nThe oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .\u00a0\n\nTo mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.\n\nSpecifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. \n\nAdditionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.\n\nFix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+"
}
],
"impacts": [
{
"capecId": "CAPEC-247",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-247 XSS Using Invalid Characters"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:25:26.548Z",
"orgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"shortName": "dotCMS"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-68"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CNA SHORTNAME: dotCMSORG UUID: 5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"assignerShortName": "dotCMS",
"cveId": "CVE-2023-3042",
"datePublished": "2023-10-17T22:52:05.453Z",
"dateReserved": "2023-06-01T20:26:04.134Z",
"dateUpdated": "2025-06-12T15:05:44.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37034 (GCVE-0-2022-37034)
Vulnerability from cvelistv5 – Published: 2023-02-01 00:00 – Updated: 2025-03-27 16:14
VLAI?
Summary
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests.
Severity ?
5.3 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:21:32.600Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-65"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-37034",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:14:13.966493Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:14:45.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-01T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-65"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37034",
"datePublished": "2023-02-01T00:00:00.000Z",
"dateReserved": "2022-07-29T00:00:00.000Z",
"dateUpdated": "2025-03-27T16:14:45.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37033 (GCVE-0-2022-37033)
Vulnerability from cvelistv5 – Published: 2023-02-01 00:00 – Updated: 2025-03-27 16:21
VLAI?
Summary
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:21:32.490Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-64"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-37033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:20:57.926240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:21:33.289Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-01T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-64"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37033",
"datePublished": "2023-02-01T00:00:00.000Z",
"dateReserved": "2022-07-29T00:00:00.000Z",
"dateUpdated": "2025-03-27T16:21:33.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45782 (GCVE-0-2022-45782)
Vulnerability from cvelistv5 – Published: 2023-02-01 00:00 – Updated: 2025-03-27 16:12
VLAI?
Summary
An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:04.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-66"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:12:13.095667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:12:49.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-01T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-66"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-45782",
"datePublished": "2023-02-01T00:00:00.000Z",
"dateReserved": "2022-11-22T00:00:00.000Z",
"dateUpdated": "2025-03-27T16:12:49.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45783 (GCVE-0-2022-45783)
Vulnerability from cvelistv5 – Published: 2023-02-01 00:00 – Updated: 2025-03-27 16:11
VLAI?
Summary
An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:04.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-67"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45783",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:11:01.826845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:11:28.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-01T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-67"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-45783",
"datePublished": "2023-02-01T00:00:00.000Z",
"dateReserved": "2022-11-22T00:00:00.000Z",
"dateUpdated": "2025-03-27T16:11:28.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35740 (GCVE-0-2022-35740)
Vulnerability from cvelistv5 – Published: 2022-11-10 00:00 – Updated: 2025-05-01 13:50
VLAI?
Summary
dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks, including those used by Spring or Tomcat, allow the use of matrix parameters: these are URI parameters separated by semicolons. Through precise semicolon placement in a URI, it is possible to exploit this feature to avoid dotCMS's path-based XSS prevention (such as "require login" filters), and consequently access restricted resources. For example, an attacker could place a semicolon immediately before a / character that separates elements of a filesystem path. This could reveal file content that is ordinarily only visible to signed-in users. This issue can be chained with other exploit code to achieve XSS attacks against dotCMS.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:44:21.912Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-63"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dotCMS/patches-hotfixes/tree/master/com.dotcms.security.matrixparams"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-35740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T13:50:06.746982Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T13:50:10.841Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks, including those used by Spring or Tomcat, allow the use of matrix parameters: these are URI parameters separated by semicolons. Through precise semicolon placement in a URI, it is possible to exploit this feature to avoid dotCMS\u0027s path-based XSS prevention (such as \"require login\" filters), and consequently access restricted resources. For example, an attacker could place a semicolon immediately before a / character that separates elements of a filesystem path. This could reveal file content that is ordinarily only visible to signed-in users. This issue can be chained with other exploit code to achieve XSS attacks against dotCMS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-10T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-63"
},
{
"url": "https://github.com/dotCMS/patches-hotfixes/tree/master/com.dotcms.security.matrixparams"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35740",
"datePublished": "2022-11-10T00:00:00.000Z",
"dateReserved": "2022-07-13T00:00:00.000Z",
"dateUpdated": "2025-05-01T13:50:10.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37431 (GCVE-0-2022-37431)
Vulnerability from cvelistv5 – Published: 2022-08-05 05:31 – Updated: 2024-08-03 10:29
VLAI?
Summary
A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTION_ENABLED=true in all configurations
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:21.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fortiguard.fortinet.com/zeroday/FG-VD-22-062"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTION_ENABLED=true in all configurations"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-08T22:45:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fortiguard.fortinet.com/zeroday/FG-VD-22-062"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-37431",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTION_ENABLED=true in all configurations."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.fortinet.com/zeroday/FG-VD-22-062",
"refsource": "MISC",
"url": "https://fortiguard.fortinet.com/zeroday/FG-VD-22-062"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37431",
"datePublished": "2022-08-05T05:31:15",
"dateReserved": "2022-08-05T00:00:00",
"dateUpdated": "2024-08-03T10:29:21.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3938 (GCVE-0-2024-3938)
Vulnerability from nvd – Published: 2024-07-25 21:17 – Updated: 2024-08-01 20:26
VLAI?
Summary
The "reset password" login page accepted an HTML injection via URL parameters.
This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E
This will result in a view along these lines:
* OWASP Top 10 - A03: Injection
* CVSS Score: 5.4
* AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
* https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Severity ?
5.4 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dotCMS | dotCMS core |
Affected:
5.1.5 and after
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3938",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T17:33:18.822280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:33:25.468Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:26:57.098Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-71"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "dotCMS core",
"vendor": "dotCMS",
"versions": [
{
"status": "affected",
"version": "5.1.5 and after"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe \"reset password\" login page accepted an HTML injection via URL parameters.\u003c/p\u003e\u003cp\u003eThis has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.dotcms.com/docs/latest/previous-releases\"\u003epast docker image\u003c/a\u003e\u0026nbsp;(prior to dotCMS 24.05.31) and use a link in the following fashion to on their local instance: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true\u0026amp;resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E\"\u003ehttp://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true\u0026amp;resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E\u003c/a\u003e\u003c/p\u003e\u003cp\u003eThis will result in a view along these lines:\u003cbr\u003e\u003cimg alt=\"Screenshot 2024-07-25 at 121846PMpng\" src=\"https://auth.dotcms.com/dA/3555fb4020/Screenshot%202024-07-25%20at%2012.18.46PM.png?language_id=1\"\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOWASP Top 10 - A03: Injection\u003c/li\u003e\u003cli\u003eCVSS Score: 5.4\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\u0026amp;version=3.1\"\u003eAV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\u0026amp;version=3.1\"\u003ehttps://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\u0026amp;...\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "The \"reset password\" login page accepted an HTML injection via URL parameters.\n\nThis has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true\u0026resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E \n\nThis will result in a view along these lines:\n\n\n\n\n\n * OWASP Top 10 - A03: Injection\n * CVSS Score: 5.4\n * AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator \n * https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\u0026... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator"
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T13:09:31.162Z",
"orgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"shortName": "dotCMS"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-71"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"assignerShortName": "dotCMS",
"cveId": "CVE-2024-3938",
"datePublished": "2024-07-25T21:17:49.359Z",
"dateReserved": "2024-04-17T19:20:07.143Z",
"dateUpdated": "2024-08-01T20:26:57.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3165 (GCVE-0-2024-3165)
Vulnerability from nvd – Published: 2024-04-01 21:38 – Updated: 2024-09-30 15:27
VLAI?
Summary
System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.
OWASP Top 10 - A05) Insecure Design
OWASP Top 10 - A05) Security Misconfiguration
OWASP Top 10 - A09) Security Logging and Monitoring Failure
Severity ?
4.5 (Medium)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dotCMS | dotCMS core |
Affected:
22.02 and after
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:07.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-70"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dotCMS/core/issues/27910"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dotCMS/core/pull/28006"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dotcms",
"vendor": "dotcms",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "22.02",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T15:07:00.832616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T15:35:24.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "dotCMS core",
"vendor": "dotCMS",
"versions": [
{
"status": "affected",
"version": "22.02 and after"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSystem-\u0026gt;Maintenance-\u0026gt; Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. \u0026nbsp;\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eOWASP Top 10 - A05) Insecure Design\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eOWASP Top 10 - A05) Security Misconfiguration\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eOWASP Top 10 - A09) Security Logging and Monitoring Failure\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "System-\u003eMaintenance-\u003e Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. \u00a0\n\nOWASP Top 10 - A05) Insecure Design\n\nOWASP Top 10 - A05) Security Misconfiguration\n\nOWASP Top 10 - A09) Security Logging and Monitoring Failure"
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:27:54.804Z",
"orgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"shortName": "dotCMS"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-70"
},
{
"url": "https://github.com/dotCMS/core/issues/27910"
},
{
"url": "https://github.com/dotCMS/core/pull/28006"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Database Credential Exposure in the Logs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"assignerShortName": "dotCMS",
"cveId": "CVE-2024-3165",
"datePublished": "2024-04-01T21:38:04.085Z",
"dateReserved": "2024-04-01T21:31:06.377Z",
"dateUpdated": "2024-09-30T15:27:54.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3164 (GCVE-0-2024-3164)
Vulnerability from nvd – Published: 2024-04-01 21:27 – Updated: 2024-09-30 15:30
VLAI?
Summary
In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance → Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System → Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance.
OWASP Top 10 - A01) Broken Access Control
OWASP Top 10 - A04) Insecure Design
Severity ?
4.5 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dotCMS | dotCMS core |
Affected:
22.02 and after
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dotcms:dotcms:22.02:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "dotcms",
"vendor": "dotcms",
"versions": [
{
"status": "affected",
"version": "22.02"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T20:19:19.811850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T20:23:37.174Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:08.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-69"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dotCMS/core/pull/27912"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dotCMS/core/issues/27909"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "dotCMS core",
"vendor": "dotCMS",
"versions": [
{
"status": "affected",
"version": "22.02 and after"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eIn dotCMS dashboard, the Tools and Log Files tabs under System \u2192 Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance \u2192 Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System \u2192 Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eOWASP Top 10 - A01) Broken Access Control\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eOWASP Top 10 - A04) Insecure Design\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e"
}
],
"value": "In dotCMS dashboard, the Tools and Log Files tabs under System \u2192 Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance \u2192 Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System \u2192 Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance.\n\nOWASP Top 10 - A01) Broken Access Control\n\nOWASP Top 10 - A04) Insecure Design"
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:30:31.887Z",
"orgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"shortName": "dotCMS"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-69"
},
{
"url": "https://github.com/dotCMS/core/pull/27912"
},
{
"url": "https://github.com/dotCMS/core/issues/27909"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"assignerShortName": "dotCMS",
"cveId": "CVE-2024-3164",
"datePublished": "2024-04-01T21:27:51.580Z",
"dateReserved": "2024-04-01T21:21:28.290Z",
"dateUpdated": "2024-09-30T15:30:31.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3042 (GCVE-0-2023-3042)
Vulnerability from nvd – Published: 2023-10-17 22:52 – Updated: 2025-06-12 15:05
VLAI?
Summary
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't.
The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .
To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.
Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings.
Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.
Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+
Severity ?
5.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dotCMS | dotCMS core |
Affected:
5.3.8
Affected: 21.06 Affected: 22.03 Affected: 23.01 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:04.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-68"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-12T15:05:05.713927Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T15:05:44.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "dotCMS core",
"vendor": "dotCMS",
"versions": [
{
"status": "affected",
"version": "5.3.8"
},
{
"status": "affected",
"version": "21.06"
},
{
"status": "affected",
"version": "22.03"
},
{
"status": "affected",
"version": "23.01"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp\"\u003ehttps://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp\u003c/a\u003e, which should return a 404 response but didn\u0027t. \u003cbr\u003e\u003cbr\u003eThe oversight in the default invalid URL character list can be viewed at the provided \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37\"\u003eGitHub link\u003c/a\u003e.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eTo mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.\u003cbr\u003e\u003cbr\u003eSpecifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. \u003cbr\u003e\u003cbr\u003eAdditionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.\u003cbr\u003e\u003cbr\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003cth\u003eFix Version:\u003c/th\u003e\u003ctd\u003e23.06+, LTS 22.03.7+, LTS 23.01.4+\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
}
],
"value": "In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn\u0027t. \n\nThe oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .\u00a0\n\nTo mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.\n\nSpecifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. \n\nAdditionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.\n\nFix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+"
}
],
"impacts": [
{
"capecId": "CAPEC-247",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-247 XSS Using Invalid Characters"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:25:26.548Z",
"orgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"shortName": "dotCMS"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-68"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CNA SHORTNAME: dotCMSORG UUID: 5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"assignerShortName": "dotCMS",
"cveId": "CVE-2023-3042",
"datePublished": "2023-10-17T22:52:05.453Z",
"dateReserved": "2023-06-01T20:26:04.134Z",
"dateUpdated": "2025-06-12T15:05:44.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37034 (GCVE-0-2022-37034)
Vulnerability from nvd – Published: 2023-02-01 00:00 – Updated: 2025-03-27 16:14
VLAI?
Summary
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests.
Severity ?
5.3 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:21:32.600Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-65"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-37034",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:14:13.966493Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:14:45.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-01T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-65"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37034",
"datePublished": "2023-02-01T00:00:00.000Z",
"dateReserved": "2022-07-29T00:00:00.000Z",
"dateUpdated": "2025-03-27T16:14:45.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37033 (GCVE-0-2022-37033)
Vulnerability from nvd – Published: 2023-02-01 00:00 – Updated: 2025-03-27 16:21
VLAI?
Summary
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:21:32.490Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-64"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-37033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:20:57.926240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:21:33.289Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-01T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-64"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37033",
"datePublished": "2023-02-01T00:00:00.000Z",
"dateReserved": "2022-07-29T00:00:00.000Z",
"dateUpdated": "2025-03-27T16:21:33.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45782 (GCVE-0-2022-45782)
Vulnerability from nvd – Published: 2023-02-01 00:00 – Updated: 2025-03-27 16:12
VLAI?
Summary
An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:04.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-66"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:12:13.095667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:12:49.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-01T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-66"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-45782",
"datePublished": "2023-02-01T00:00:00.000Z",
"dateReserved": "2022-11-22T00:00:00.000Z",
"dateUpdated": "2025-03-27T16:12:49.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45783 (GCVE-0-2022-45783)
Vulnerability from nvd – Published: 2023-02-01 00:00 – Updated: 2025-03-27 16:11
VLAI?
Summary
An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:04.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-67"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45783",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:11:01.826845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:11:28.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-01T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-67"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-45783",
"datePublished": "2023-02-01T00:00:00.000Z",
"dateReserved": "2022-11-22T00:00:00.000Z",
"dateUpdated": "2025-03-27T16:11:28.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35740 (GCVE-0-2022-35740)
Vulnerability from nvd – Published: 2022-11-10 00:00 – Updated: 2025-05-01 13:50
VLAI?
Summary
dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks, including those used by Spring or Tomcat, allow the use of matrix parameters: these are URI parameters separated by semicolons. Through precise semicolon placement in a URI, it is possible to exploit this feature to avoid dotCMS's path-based XSS prevention (such as "require login" filters), and consequently access restricted resources. For example, an attacker could place a semicolon immediately before a / character that separates elements of a filesystem path. This could reveal file content that is ordinarily only visible to signed-in users. This issue can be chained with other exploit code to achieve XSS attacks against dotCMS.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:44:21.912Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dotcms.com/security/SI-63"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dotCMS/patches-hotfixes/tree/master/com.dotcms.security.matrixparams"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-35740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T13:50:06.746982Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T13:50:10.841Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks, including those used by Spring or Tomcat, allow the use of matrix parameters: these are URI parameters separated by semicolons. Through precise semicolon placement in a URI, it is possible to exploit this feature to avoid dotCMS\u0027s path-based XSS prevention (such as \"require login\" filters), and consequently access restricted resources. For example, an attacker could place a semicolon immediately before a / character that separates elements of a filesystem path. This could reveal file content that is ordinarily only visible to signed-in users. This issue can be chained with other exploit code to achieve XSS attacks against dotCMS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-10T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.dotcms.com/security/SI-63"
},
{
"url": "https://github.com/dotCMS/patches-hotfixes/tree/master/com.dotcms.security.matrixparams"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35740",
"datePublished": "2022-11-10T00:00:00.000Z",
"dateReserved": "2022-07-13T00:00:00.000Z",
"dateUpdated": "2025-05-01T13:50:10.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37431 (GCVE-0-2022-37431)
Vulnerability from nvd – Published: 2022-08-05 05:31 – Updated: 2024-08-03 10:29
VLAI?
Summary
A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTION_ENABLED=true in all configurations
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:21.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fortiguard.fortinet.com/zeroday/FG-VD-22-062"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTION_ENABLED=true in all configurations"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-08T22:45:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fortiguard.fortinet.com/zeroday/FG-VD-22-062"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-37431",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTION_ENABLED=true in all configurations."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fortiguard.fortinet.com/zeroday/FG-VD-22-062",
"refsource": "MISC",
"url": "https://fortiguard.fortinet.com/zeroday/FG-VD-22-062"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37431",
"datePublished": "2022-08-05T05:31:15",
"dateReserved": "2022-08-05T00:00:00",
"dateUpdated": "2024-08-03T10:29:21.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}