CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3042 – CNA SHORTNAME: dotCMSORG UUID: 5b9d93f2-25c7-46b4-ab60-d201718c9dd8
https://notcve.org/view.php?id=CVE-2023-3042
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 . To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+ En dotCMS, versiones mencionadas, una falla en NormalizationFilter no elimina las barras dobles (//) de las URL, lo que potencialmente permite omitir XSS y controles de acceso. Un ejemplo de URL afectada es https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp, que debería devolver una respuesta 404 pero no lo hizo. La supervisión de la lista predeterminada de caracteres de URL no válidos se puede ver en el enlace proporcionado de GitHub https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java #L37. Para mitigar, los usuarios pueden bloquear las URL con barras dobles en los firewalls o utilizar variables de configuración de dotCMS. • https://www.dotcms.com/security/SI-68 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-37034
https://notcve.org/view.php?id=CVE-2022-37034
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests. • https://www.dotcms.com/security/SI-65 • CWE-674: Uncontrolled Recursion •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-45782
https://notcve.org/view.php?id=CVE-2022-45782
An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover. • https://www.dotcms.com/security/SI-66 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-37033
https://notcve.org/view.php?id=CVE-2022-37033
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely. • https://www.dotcms.com/security/SI-64 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45783
https://notcve.org/view.php?id=CVE-2022-45783
An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution. • https://www.dotcms.com/security/SI-67 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •