CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4447
https://notcve.org/view.php?id=CVE-2024-4447
In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack this privilege would still be able to utilize the session IDs to imitate other users. While this is a very small attack vector that requires very high permissions to execute, its danger lies principally in obfuscating attribution; all Sign In As operations are attributed appropriately in the log files, and a malicious administrator could use this information to render their dealings untraceable — including those admins who have not been granted this ability — such as by using a session ID to generate an API token. Fixed in: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS • https://auth.dotcms.com/security/SI-72 https://www.dotcms.com/security/SI-72 • CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3938
https://notcve.org/view.php?id=CVE-2024-3938
The "reset password" login page accepted an HTML injection via URL parameters. This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E This will result in a view along these lines: * OWASP Top 10 - A03: Injection * CVSS Score: 5.4 * AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator * https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator • https://www.dotcms.com/security/SI-71 • CWE-20: Improper Input Validation •
CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3165 – Database Credential Exposure in the Logs
https://notcve.org/view.php?id=CVE-2024-3165
System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure System->Maintenance-> Log Files en el panel de dotCMS proporciona el nombre de usuario/contraseña para las conexiones de la base de datos en la salida del registro. Sin embargo, este es un problema moderado, ya que requiere un administrador de backend y que las bases de datos estén bloqueadas por el entorno. OWASP Top 10 - A05) Diseño inseguro OWASP Top 10 - A05) Configuración incorrecta de seguridad OWASP Top 10 - A09) Fallo de registro y monitoreo de seguridad • https://auth.dotcms.com/security/SI-70?token=563ec927-3190-4478-bd77-0d6f8c6fc676 https://github.com/dotCMS/core/issues/27910 https://github.com/dotCMS/core/pull/28006 https://www.dotcms.com/security/SI-70 • CWE-522: Insufficiently Protected Credentials •
CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3164
https://notcve.org/view.php?id=CVE-2024-3164
In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance → Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System → Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance. OWASP Top 10 - A01) Broken Access Control OWASP Top 10 - A04) Insecure Design En el panel de dotCMS, las pestañas Tools y Log Files en System->Maintenance-> Log Files, que es y siempre ha sido un portlet de administración, son accesibles para cualquier persona con ese portlet y no solo para los administradores de CMS. • https://auth.dotcms.com/security/SI-69?token=dc1f0241-b697-41dd-8140-154658e90c54 https://github.com/dotCMS/core/issues/27909 https://github.com/dotCMS/core/pull/27912 https://www.dotcms.com/security/SI-69 • CWE-552: Files or Directories Accessible to External Parties •