// For flags

CVE-2023-3042

CNA SHORTNAME: dotCMSORG UUID: 5b9d93f2-25c7-46b4-ab60-d201718c9dd8

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't.

The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 . 

To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.

Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings.

Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.

Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+

En dotCMS, versiones mencionadas, una falla en NormalizationFilter no elimina las barras dobles (//) de las URL, lo que potencialmente permite omitir XSS y controles de acceso. Un ejemplo de URL afectada es https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp, que debería devolver una respuesta 404 pero no lo hizo. La supervisión de la lista predeterminada de caracteres de URL no válidos se puede ver en el enlace proporcionado de GitHub https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java #L37. Para mitigar, los usuarios pueden bloquear las URL con barras dobles en los firewalls o utilizar variables de configuración de dotCMS. Específicamente, pueden usar la variable ambiental DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS para agregar // a la lista de cadenas no válidas. Además, la variable DOT_URI_NORMALIZATION_FORBIDDEN_REGEX ofrece un control más detallado, por ejemplo, para bloquear URL //html.*. Versión reparada: 23.06+, LTS 22.03.7+, LTS 23.01.4+

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-06-01 CVE Reserved
  • 2023-10-17 CVE Published
  • 2024-09-13 CVE Updated
  • 2024-09-16 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
  • CAPEC-247: XSS Using Invalid Characters
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://www.dotcms.com/security/SI-68 2023-10-25
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Dotcms
Search vendor "Dotcms"
 Dotcms
Search vendor "Dotcms" for product "Dotcms"
 5.3.8
Search vendor "Dotcms" for product "Dotcms" and version "5.3.8"
-
Affected
Dotcms
Search vendor "Dotcms"
 Dotcms
Search vendor "Dotcms" for product "Dotcms"
 21.06
Search vendor "Dotcms" for product "Dotcms" and version "21.06"
-
Affected
Dotcms
Search vendor "Dotcms"
 Dotcms
Search vendor "Dotcms" for product "Dotcms"
 22.03
Search vendor "Dotcms" for product "Dotcms" and version "22.03"
-
Affected
Dotcms
Search vendor "Dotcms"
 Dotcms
Search vendor "Dotcms" for product "Dotcms"
 23.01
Search vendor "Dotcms" for product "Dotcms" and version "23.01"
-
Affected