CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4447
https://notcve.org/view.php?id=CVE-2024-4447
In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack this privilege would still be able to utilize the session IDs to imitate other users. While this is a very small attack vector that requires very high permissions to execute, its danger lies principally in obfuscating attribution; all Sign In As operations are attributed appropriately in the log files, and a malicious administrator could use this information to render their dealings untraceable — including those admins who have not been granted this ability — such as by using a session ID to generate an API token. Fixed in: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS • https://auth.dotcms.com/security/SI-72 https://www.dotcms.com/security/SI-72 • CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3938
https://notcve.org/view.php?id=CVE-2024-3938
The "reset password" login page accepted an HTML injection via URL parameters. This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E This will result in a view along these lines: * OWASP Top 10 - A03: Injection * CVSS Score: 5.4 * AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator * https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator • https://www.dotcms.com/security/SI-71 • CWE-20: Improper Input Validation •
CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3165 – Database Credential Exposure in the Logs
https://notcve.org/view.php?id=CVE-2024-3165
System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure System->Maintenance-> Log Files en el panel de dotCMS proporciona el nombre de usuario/contraseña para las conexiones de la base de datos en la salida del registro. Sin embargo, este es un problema moderado, ya que requiere un administrador de backend y que las bases de datos estén bloqueadas por el entorno. OWASP Top 10 - A05) Diseño inseguro OWASP Top 10 - A05) Configuración incorrecta de seguridad OWASP Top 10 - A09) Fallo de registro y monitoreo de seguridad • https://auth.dotcms.com/security/SI-70?token=563ec927-3190-4478-bd77-0d6f8c6fc676 https://github.com/dotCMS/core/issues/27910 https://github.com/dotCMS/core/pull/28006 https://www.dotcms.com/security/SI-70 • CWE-522: Insufficiently Protected Credentials •
CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3164
https://notcve.org/view.php?id=CVE-2024-3164
In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance → Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System → Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance. OWASP Top 10 - A01) Broken Access Control OWASP Top 10 - A04) Insecure Design En el panel de dotCMS, las pestañas Tools y Log Files en System->Maintenance-> Log Files, que es y siempre ha sido un portlet de administración, son accesibles para cualquier persona con ese portlet y no solo para los administradores de CMS. • https://auth.dotcms.com/security/SI-69?token=dc1f0241-b697-41dd-8140-154658e90c54 https://github.com/dotCMS/core/issues/27909 https://github.com/dotCMS/core/pull/27912 https://www.dotcms.com/security/SI-69 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3042 – CNA SHORTNAME: dotCMSORG UUID: 5b9d93f2-25c7-46b4-ab60-d201718c9dd8
https://notcve.org/view.php?id=CVE-2023-3042
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 . To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+ En dotCMS, versiones mencionadas, una falla en NormalizationFilter no elimina las barras dobles (//) de las URL, lo que potencialmente permite omitir XSS y controles de acceso. Un ejemplo de URL afectada es https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp, que debería devolver una respuesta 404 pero no lo hizo. La supervisión de la lista predeterminada de caracteres de URL no válidos se puede ver en el enlace proporcionado de GitHub https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java #L37. Para mitigar, los usuarios pueden bloquear las URL con barras dobles en los firewalls o utilizar variables de configuración de dotCMS. • https://www.dotcms.com/security/SI-68 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •