SessionID Visible to All Admins Via Logged Users Tab

Fri, 19 Apr 2024 13:00:00 -0400

In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this ...

HTML Injection Error on Password Reset Login Page

Mon, 8 Apr 2024 00:00:00 -0400

The "reset password" login page accepted an HTML injection via URL parameters.

This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link...

Improper Handling of Database Credentials During Logging

Fri, 15 Mar 2024 01:00:00 -0400

The username and password for PostgreSQL database connections appears in the log output visible in the System → Maintenance tool.

OWASP Top ...

Broken Access Control for Roles with User Admin

Fri, 15 Mar 2024 00:00:00 -0400

The Tools and Log Files tabs under the System → Maintenance tool, which is and always has been an admin tool, are accessible to some without the CMS Admin role.

/api/integrity/_fixconflictsfromremote" endpoint is accepted and extracted without performing path traversal check...

Insecure random number generation in password reset token

Wed, 30 Nov 2022 00:00:00 -0500

dotCMS password reset token is generated using an insecure method randomAlphanumeric() which is not cryptographically secure and can be brute-forced. This may lead an attacker to gain access to admin account by requesting a password reset ...

TempFileAPI can bypass access restrictions to access local/private network resources

Thu, 25 Aug 2022 09:30:00 -0400

dotCMS TempFileAPI allows a user to create a temporary files based on a passed in url - though dotCMS attempts to block any access to urls that contain local ips or private subnets. In resolving the remote url, the TempFileAPI follows any 302 redirects ...

Possible DOS by overloading the TempFileResource

Wed, 17 Aug 2022 13:45:00 -0400

It is possible to call the TempFileResource multiple times, each time requesting the dotCMS server to download a large file. If done enough repeatedly, this will result in the Tomcat Request Thread pool to be exhausted and ultimately a denial of any other...

Matrix URI parameters can expose private assets

Tue, 14 Jun 2022 13:45:00 -0400

Some Java Application frameworks, including those used by Spring or Tomcat, allow the use of “matrix parameters” — URI parameters separated by...

Multipart File Directory Traversal can lead to remote execution

Mon, 28 Mar 2022 08:00:00 -0400

When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the file down in a temp directory. In the case of this vulnerability, dotCMS does not sanitize the filename passed in via the multipart request ...

Log4j Zero-Day Exploit (CVE-2021-44228)

Mon, 20 Dec 2021 10:15:00 -0500

On Friday 12/10/2021, a critical vulnerability notification (CVE-2021-44228) was released regarding a vulnerability in the log4j library, which is a very common open-source component used by ...

Server-Side Request Forgery (SSRF) in dotcms/core

Tue, 14 Dec 2021 10:30:00 -0500

dotCMS TempFileAPI allows a SSRF that can allow to access to internal systems accessible via url

For example if dotCMS is connected to an unsecured elastisearch instance, this SSRF we can direct access the elastisearch REST API
In ...

Improper Privilege Management in Velocity

Mon, 13 Dec 2021 11:30:00 -0500

While editing a template we have total access to the User and UserModel classes via $user
One of the UserModel methods is called setUserId
If we call setUserId and pass "system" as parameter we get access to the system user role
To...

log4j2 JNDI Remote Expoit

Fri, 10 Dec 2021 08:30:00 -0500

Like most enterprise java based systems, dotCMS relies on log4j2 for system logging. Apache Log4j2 <=2.14.1 JNDI features that are used in configuration, log messages, and parameters do not protect against ...

XStream vulnerable to arbitrary execution of code

Wed, 19 May 2021 05:00:00 -0400

An issue was discovered in dotCMS 3.0 through 5.3.8.4 and 20.10 through 21.04. When PUTting or POSTing content via /api/content in the XML format, the processed XML stream, at unmarshalling time, contains type information to recreate the...

Authenticated User SQL Injection Vulnerability in api

Fri, 30 Oct 2020 05:15:00 -0400

dotCMS 5.0 through 5.3.9 allows SQL injection by an authenticated user via the system REST api using the endpoint /api/v1/containers. The classes that are used to paginate results of some REST requests...

Authenticated users may instantiate arbitrary Java objects

Fri, 5 Jun 2020 06:25:00 -0400

An authenticated user, with permissions to create and execute Velocity files, can use the Velocity context to execute arbitrary Java objects within the dotCMS code base. When combined with the creation of script files on the server file system, this could...

Incorrect access control can lead to information disclosure and remote execution

Thu, 9 Jan 2020 10:30:00 -0500

dotCMS fails to normalize the URI string when checking if a user should have access to a specific directory. If a dotCMS installation stores its assets under the tomcat's webapps/ROOT/assets directory, then the files and data stored under this...

SQL Injection Possible By Publisher Role

Thu, 6 Jun 2019 03:00:00 -0400

If there are bundles that have not been pushed, it is possible for someone with Publisher permissions to use the view_unpushed_bundles.jsp to inject code into SQL.

Reflected XSS Vulnerability in forward_js.jsp

Thu, 23 May 2019 08:45:00 -0400

Reflected (non-persistent) Cross Site Scripting (XSS) vulnerability exists in forward_js.jsp.

Can track status here: https://github.com/dotCMS/core/issues/16605

User Privilege Escalation Possible In Velocity Code

Fri, 25 Jan 2019 04:00:00 -0500

By publishing custom, problematic vtl code, a user is able to elevate their dotCMS permissions for the duration of their browsing session.

User must have publish permissions to publish the custom vtl file.

Can track status of the issue here: ...

Permissive CORS Policy

Thu, 24 Jan 2019 04:15:00 -0500

dotCMS currently returns a “Access-Control-Allow-Origin” header with a value of "*". This means that the default is to share any public content on this server. While this is a browser enforced security measure, it...

Reflected XSS Vulnerability in referer_js.jsp

Thu, 24 Jan 2019 04:00:00 -0500

Reflected (non-persistent) Cross Site Scripting (XSS) vulnerability exists in /html/common/referer_common.jsp

Can track status here: https://github...

File Upload Vulnerability

Thu, 10 Jan 2019 04:15:00 -0500

A specific dotCMS REST endpoint can be utilized to create files on the server's filesystem.

To exploit this vulnerability, the user must be logged into the backend of dotCMS with administrator permissions.

Status of this issue can be ...

Client Side URL Redirection

Thu, 10 Jan 2019 04:00:00 -0500

A URL of attackers choice can be passed as a parameter to a specific dotCMS endpoint. This endpoint responds with a 302 redirect which causes the browser to load the URL passed into dotCMS. This could be used a part of a phishing attack or to...

File Deletion Vulnerability

Thu, 10 Jan 2019 04:00:00 -0500

A specific dotCMS endpoint can be utilized to delete specified files on the server's filesystem.

To exploit this vulnerability, the user must be logged into the backend of dotCMS with administrator permissions and use a carefully crafted URL.

Status...

XSS vulnerability with image tool

Wed, 3 Oct 2018 20:00:00 -0400

XSS vulnerability exists on /html/portlet/ext/contentlet/image_tools/index.jsp. Please refer to github issue for details:

https://github.com/dotCMS/core/issues/15274

BeanUtil version 1.9.2 and below allows classloader manipulation

Sat, 1 Sep 2018 05:30:00 -0400

dotCMS 3 and 4 series ship with Apache Commons BeanUtils version 1.6.2 and is used in the struts based back end of the dotCMS system. BeanUtils version 1.9.2 and under, including version 1.6.2, do not suppress the class property...

Read access to restricted files in Tomcat on Windows

Sun, 12 Mar 2017 20:00:00 -0400

When running on an OS which does not have a case sensitive filesystem (i.e. Windows), you must not run with the "allowLinking" options turned on: https://tomcat.apache.org/tomcat...

Upload of file types unrestricted

Thu, 9 Mar 2017 02:45:00 -0500

Authenticated users can uploaded bundles that contain files of any type.

Cross-Site Request Forgery (CSRF)

Thu, 9 Mar 2017 02:30:00 -0500

Administrative backend access is vulnerable to CSRF attack. For example, this means that if a user is already logged into the backend of dotCMS and clicks on malicious content (that targets dotCMS) in another tab or window, this malicious content ...

Bundle path traversal

Thu, 9 Mar 2017 02:30:00 -0500

With a user that is authenticated to the backend, intentionally customized bundles can be uploaded that will write files to arbitrary locations on the filesystem.

Blind SQL injection

Tue, 17 Jan 2017 06:30:00 -0500

SQL injection via Categories Servlet - does not require authentication. The only concrete exploit we have at this time is against mySQL 5.5. Since this string does get passed to the DB for evaluation, it is possible that an exploit of this ...

Captcha can be programmatically reused by passing session id

Mon, 31 Oct 2016 20:00:00 -0400

If you use a captcha protected resource like the sendEmailServlet you can pass the same captcha again and again via curl if you use the session id cookie of the original request.

CVE-2016-8600

Insufficient authentication in the CMSMaintenanceAjax class

Wed, 27 Jul 2016 09:15:00 -0400

Under certain conditions, it may be possible to invoke the deleteContentletsFromIdList method of the CMSMaintenance class without proper permissions.

SQL Injection from Workflow Screen III

Tue, 12 Apr 2016 07:15:00 -0400

SQL Injection via workflow screen orderby parameter - requires Authentication.

SQL Injection via REST api

Tue, 12 Apr 2016 05:00:00 -0400

A SQL injection attack is possible via the Content REST api if the api is set to allow for anonymous content saving (which is the shipped default).

Directory traversal vulnerability by Admin

Mon, 11 Apr 2016 11:30:00 -0400

dotCMS provides a mechanism to "tail" a system log files via an online console. It is possible for an Admin (Authenticated user with Admin permissions in the dotCMS system) to specify a file outside of the specified dotCMS log directory to "tail"...

XSS in Lucene Search Admin tool

Mon, 11 Apr 2016 10:30:00 -0400

The lucene search admin tool (Admin only) allows a user to construct and execute a query to run against dotCMS content. The admin tool does not sanitize the query and echo's it back to the user which allows for XSS javascript execution.

SQL Injection via DWR - Requires Authenticated User

Mon, 4 Apr 2016 11:30:00 -0400

A SQL injection vulnerability has been identified in dotCMS 3.3 which, if successfully exploited, could allow an attacker to access sensitive information in the dotcms database.

The vulnerability requires an authenticated dotCMS ...

CSRF Add User

Mon, 30 Nov 2015 17:15:00 -0500

It is possible to use a well formed POST to the DWR USer endpoint and add a new blank user to the dotCMS system. This user will not be provisioned or permissioned in any way, though will be a valid user in the system.

Using this method...

SQL Injection from Workflow Screen II

Mon, 30 Nov 2015 10:00:00 -0500

SQL injection is a method of attack where an attacker can exploit vulnerable code and the type of data an application will accept, and can be exploited in any application parameter that influences a database query. Examples include parameters within the...

SSRF Vulnerability in RESTful ContentAPI

Mon, 30 Nov 2015 10:00:00 -0500

It is possible to force a remote dotCMS server to make an external request for a remote URL.

This does not constitute "critical" security flaws in dotCMS because the nature of a critical SSRF vulnerability is to either expose data from an internal...

jsps exposed to non-authenticated users

Tue, 23 Sep 2014 20:00:00 -0400

There are some administrative jsps that are accessible to non-administrative users. This allows an attacker to target and call those jsps directly from their browsers without authentication.

XSS on "page not found .jsp"

Tue, 23 Sep 2014 08:00:00 -0400

GET Parameter "url" is displayed back to output without proper escaping.

CRLF Header Injection vulnerability

Thu, 17 Jul 2014 11:00:00 -0400

Scanning software (Acunetix) has reported a CRLF Injection vulnerability in the htmlpdf servlet.

I have discussed this report with our Dotcms developers and they feel the report is correct and the problem is located in the Dotcms codebase...

Password fields with enabled autocomplete

Mon, 21 Apr 2014 11:00:00 -0400

The enabled password “autocomplete” feature allows the storage of the dotCMS credentials on the client. A attacker with physical access to the client is able to retrieve the credentials by extracting it from the browsers password storage.

Missing Cookie Security Attribute “httpOnly”

Mon, 21 Apr 2014 11:00:00 -0400

The used session cookie can be read by client side code using JavaScript. This means that a Cross Site Scripting vulnerability in the page allows a attacker to retrieve the session cookie and therefore log in to the administrative interface without a password...

HTTP header injection

Mon, 21 Apr 2014 07:30:00 -0400

A header injection allows a attacker to insert arbitrary HTTP-Headers into the server’s response. This enables a attacker to change cookie values, add additional headers or in the case of a normal page to insert arbitrary code that gets executed as...

Arbitrary URL redirects

Mon, 21 Apr 2014 07:15:00 -0400

Using an arbitrary URL redirect a attacker is able to send visiting clients to a web site of the attacker’s choosing. To successfully mount such a attack the attacker prepares a link to the dotCMS site that looks like a innocent link to an article...

Information disclosure through unauthenticated and unused scripts

Mon, 21 Apr 2014 07:00:00 -0400

A attacker can use the discovered scripts to obtain a information about the server and it’s configuration. Including the internal IP address, hostname and other dotCMS configuration parameters. This can be leveraged in later attacks to further attack...

Vulnerabilities in “Comments” feature

Mon, 21 Apr 2014 06:45:00 -0400

dotCMS employs a “Comments” feature that allows logged in users to comment on articles and pages. Proper security checks are missing so this feature can be misused by a attacker to post comments to the pages or use the “approve comment&rdquo...

Cross Site Scripting filter bypass

Mon, 21 Apr 2014 06:15:00 -0400

The Cross Site Scripting protection, that is responsible for filtering user input to provide a sanitized representation of potentially harmful input, is flawed and can easily be circumvented. This leads to a range of vulnerabilities that allow attackers...

Arbitrary Command Execution

Mon, 21 Apr 2014 06:00:00 -0400

This vulnerability allow authenticated users to view arbitrary files on the server and execute commands on the systems as the user that is running dotCMS on the server. This potentially leads to a full compromise of the server if a high privileged user ...

Forgot Password generates weak password

Mon, 21 Apr 2014 04:45:00 -0400

The vulnerabilities in the user account management allow attackers to circumvent the access controls by brute-forcing weak passwords and using default users to gain possible access to administrative interface. The implementation of the password reset function...

Stored XSS possible in admin tool as authenticated user

Wed, 3 Jul 2013 03:45:00 -0400

In a number of areas in the dotCMS Administrative tool, it is possible for an authenticated user to create stored XSS that executes in the admin user's browser.

In the browser once logged into the admin screen you can use XSS. ...

AJAX requests without a session ID or other form of authentication

Tue, 18 Jun 2013 10:00:00 -0400

It is possible to create a user account (without privileges) using a properly formated remote AJAX call.

XSS Vulnerability on Login Page

Tue, 18 Jun 2013 06:30:00 -0400

Input passed via multiple POST parameters to multiple scripts is not
properly sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in
context of an affected...

Cross Site Request Forgery (XSRF or CSRF)

Mon, 10 Jun 2013 07:30:00 -0400

Cross-Site Request Forgery (XSRF or CSRF) has been detected when using the dotCMS admin tools once a user has been authenticated. Because browsers can run code sent by multiple sites, an XSRF attack can occur if one site sends a request (never seen by the...

Possible Clickjacking / no frame busting code in dotCMS admin

Sat, 8 Jun 2013 08:00:00 -0400

It is possible to "clickjack" the dotCMS admin console, which works in a frameset. We need to add the "X-Frame-Options: Deny" / "X-Frame-Options: Sameorigin" header to all requests (both CMS admin and end-user requests).

- For older browsers...

Test pages shipped in product

Fri, 7 Jun 2013 12:00:00 -0400

Testing-related application pages were found within dotCMS. Test pages are usually implemented ad-hoc and often do not adhere to the security requirements/guidelines of the rest of the application, making them a potential security hazard. Recommendations...

Insecure Browser Caching

Fri, 7 Jun 2013 11:00:00 -0400

It has been reported that many dotCMS Admin screens do not include Cache-Control headers. This can allow a client browser to cache dotCMS admin pages (as rendered) locally on the client's computer, which if examined, could expose sensitive content...

Use of Persistent Cookies

Wed, 5 Jun 2013 08:15:00 -0400

Cookies are small bits of data that are sent by the web application but stored locally in the browser. dotCMS uses a cookie to pass information stored in cookies such as session Identifiers, personalization and customization information, and in rare cases...

SQL Injection from Workflow Screen

Wed, 5 Jun 2013 06:45:00 -0400

SQL injection is a method of attack where an attacker can exploit vulnerable code and the type of data an application will accept, and can be exploited in any application parameter that influences a database query. Examples include parameters within the...

Possible Cross Site Redirect

Tue, 4 Jun 2013 09:45:00 -0400

dotCMS needs to ensure application cannot redirect to external sites and Redirects using the referer parameter need to be checked against a lookup table of known-pages for redirection.

It is possible to utilise the application to redirect a...

Cross Domain Scripts Included Within Application

Tue, 4 Jun 2013 07:45:00 -0400

The web application was found to include JavaScript hosted on third party servers within the application:

https://ajax.googleapis.com/ajax/libs/chrome-frame/1/CFInstall...

XSS possible after admin authentication

Sun, 2 Jun 2013 08:00:00 -0400

A number of user input fields within the administrative portal of the application were discovered to accept arbitrary user input that could be returned to the page. One example location where a script could be injected is the page title field of a new HTML...

XSS error on the account login page

Sun, 9 Sep 2012 20:00:00 -0400

1.

XSS in http://dotcms.constantcontact.com/c/portal_public/login
on the my_account_logon paramter (the User ID field on the login form)

my_account_logon='"'>...

dotCMS template permissions allow arbitrary code execution

Thu, 12 Apr 2012 20:00:00 -0400

Overview

The dotCMS content management system version 1.9 and possibly earlier versions, contains a vulnerability that allows users with admin access the appropriate permissions to create a malicious template with arbitrary code. An authenticated...

Cookies do not require SSL

Mon, 6 Jun 2011 07:45:00 -0400

Many security policies state that any area of the website or web application that contains sensitive information or access to privileged functionality such as remote site administration requires that all cookies are sent via SSL during an SSL session. The...

Problem with XSS attack on 404 page

Sun, 6 Feb 2011 19:00:00 -0500

dotCMS has code in the CMSFilter that try to solve issues with XSS attacks, but that code is never called by the 404 page.

This is becuase for all velocity served by the CMS, we use something called

   - com.dotmarketing...

Dotcms Security Issues

SessionID Visible to All Admins Via Logged Users Tab

HTML Injection Error on Password Reset Login Page

Improper Handling of Database Credentials During Logging

Broken Access Control for Roles with User Admin

Insecure random number generation in password reset token

TempFileAPI can bypass access restrictions to access local/private network resources

Possible DOS by overloading the TempFileResource

Matrix URI parameters can expose private assets

Multipart File Directory Traversal can lead to remote execution

Log4j Zero-Day Exploit (CVE-2021-44228)

Server-Side Request Forgery (SSRF) in dotcms/core

Improper Privilege Management in Velocity

log4j2 JNDI Remote Expoit

XStream vulnerable to arbitrary execution of code

Authenticated User SQL Injection Vulnerability in api

Authenticated users may instantiate arbitrary Java objects

Incorrect access control can lead to information disclosure and remote execution

SQL Injection Possible By Publisher Role

Reflected XSS Vulnerability in forward_js.jsp

User Privilege Escalation Possible In Velocity Code

Permissive CORS Policy

Reflected XSS Vulnerability in referer_js.jsp

File Upload Vulnerability

Client Side URL Redirection

File Deletion Vulnerability

XSS vulnerability with image tool

BeanUtil version 1.9.2 and below allows classloader manipulation

Read access to restricted files in Tomcat on Windows

Upload of file types unrestricted

Cross-Site Request Forgery (CSRF)

Bundle path traversal

Blind SQL injection

Captcha can be programmatically reused by passing session id

Insufficient authentication in the CMSMaintenanceAjax class

SQL Injection from Workflow Screen III

SQL Injection via REST api

Directory traversal vulnerability by Admin

XSS in Lucene Search Admin tool

SQL Injection via DWR - Requires Authenticated User

CSRF Add User

SQL Injection from Workflow Screen II

SSRF Vulnerability in RESTful ContentAPI

jsps exposed to non-authenticated users

XSS on "page not found .jsp"

CRLF Header Injection vulnerability

Password fields with enabled autocomplete

Missing Cookie Security Attribute “httpOnly”

HTTP header injection

Arbitrary URL redirects

Information disclosure through unauthenticated and unused scripts

Vulnerabilities in “Comments” feature

Cross Site Scripting filter bypass

Arbitrary Command Execution

Forgot Password generates weak password

Stored XSS possible in admin tool as authenticated user

AJAX requests without a session ID or other form of authentication

XSS Vulnerability on Login Page

Cross Site Request Forgery (XSRF or CSRF)

Possible Clickjacking / no frame busting code in dotCMS admin

Test pages shipped in product

Insecure Browser Caching

Use of Persistent Cookies

SQL Injection from Workflow Screen

Possible Cross Site Redirect

Cross Domain Scripts Included Within Application

XSS possible after admin authentication

XSS error on the account login page

dotCMS template permissions allow arbitrary code execution

Overview

Cookies do not require SSL

Problem with XSS attack on 404 page