dotCMS Content Management Software

A pre-authenticated remote code implementation susceptability has actually been revealed in dotCMS, an open-source web content administration system created in Java as well as “used by over 10,000 customers in over 70 nations around the world, from Ton of money 500 brand names as well as mid-sized organizations.”

The essential problem, tracked as CVE-2022-26352, comes from a directory site traversal strike when executing documents uploads, making it possible for an enemy to implement approximate commands on the underlying system.

” An enemy can submit approximate documents to the system,” Shubham Shah of Assetnote said in a record. “By posting a JSP documents to the tomcat’s origin directory site, it is feasible to attain code implementation, causing regulate implementation.”

Simply put, the approximate documents upload problem can be abused to change currently existing documents in the system with an internet covering, which can after that be utilized to obtain consistent remote gain access to.

dotCMS Content Management Software

Although the make use of made it feasible to contact approximate JavaScript documents being offered by the application, the scientists claimed the nature of the insect was such that maybe weaponized to obtain command implementation.

AssetNote claimed it uncovered as well as reported the problem on February 21, 2022, adhering to which spots have actually been launched in variations 22.03,, as well as 21.06.7.


” When documents are posted right into dotCMS through the web content API, yet prior to they end up being material, dotCMS composes the documents down in a temperature directory site,” the businesssaid “When it comes to this susceptability, dotCMS does not sterilize the filename come on through the multipart demand header as well as therefore does not sterilize the temperature documents’s name.”

” When it comes to this make use of, an assaulter can submit a special.jsp documents to the webapp/ROOT directory site of dotCMS which can permit remote code implementation,” it kept in mind.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.