CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 2CVE-2022-35740
https://notcve.org/view.php?id=CVE-2022-35740
dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks, including those used by Spring or Tomcat, allow the use of matrix parameters: these are URI parameters separated by semicolons. Through precise semicolon placement in a URI, it is possible to exploit this feature to avoid dotCMS's path-based XSS prevention (such as "require login" filters), and consequently access restricted resources. For example, an attacker could place a semicolon immediately before a / character that separates elements of a filesystem path. • https://github.com/dotCMS/patches-hotfixes/tree/master/com.dotcms.security.matrixparams https://www.dotcms.com/security/SI-63 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-37431
https://notcve.org/view.php?id=CVE-2022-37431
A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTION_ENABLED=true in all configurations ** EN DISPUTA ** Se ha detectado un problema de tipo Cross-site scripting (XSS) Reflejado en dotCMS Core versiones hasta 22.06. Esto ocurre en el portal de administración cuando la configuración presenta XSS_PROTECTION_ENABLED=false. NOTA: el proveedor discute esto porque el comportamiento actual del producto, en efecto, tiene XSS_PROTECTION_ENABLED=true en todas las configuraciones • https://fortiguard.fortinet.com/zeroday/FG-VD-22-062 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 97%CPEs: 1EXPL: 2CVE-2022-26352 – dotCMS Unrestricted Upload of File Vulnerability
https://notcve.org/view.php?id=CVE-2022-26352
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution. Se ha detectado un problema en la API ContentResource de dotCMS versiones 3.0 hasta 22.02. • http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html https://groups.google.com/g/dotcms https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/dotcms_file_upload_rce.rb •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-19138
https://notcve.org/view.php?id=CVE-2020-19138
Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java". Una Carga no Restringida de Archivos de Tipo Peligroso en DotCMS versión v5.2.3 y anteriores, permite a atacantes remotos ejecutar código arbitrario por medio del componente "/src/main/java/com/dotmarketing/filters/CMSFilter.java" • https://github.com/dotCMS/core/issues/17796 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-18875
https://notcve.org/view.php?id=CVE-2020-18875
Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files. Un Control de Acceso Incorrecto en DotCMS versiones anteriores a 5.1, permite a atacantes remotos alcanzar privilegios al inyectar configuraciones de clientes por medio de archivos vtl (velocity). • https://cwe.mitre.org/data/definitions/284.html https://dotcms.com/security/SI-51 https://github.com/dotCMS/core/issues/15882 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •