- Description
- In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 . To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+
- Source
- security@dotcms.com
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 6.1
- Impact score
- 2.7
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dotcms:dotcms:5.3.8:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1B26B5D7-CE8E-4908-8D46-A78B1A4245BA"
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:21.06:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "98D4378C-DEAC-44C1-89D1-A4846450E153"
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:22.03:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5FC8E88E-4C9A-4FE9-A3B6-2A5707323F1E"
},
{
"criteria": "cpe:2.3:a:dotcms:dotcms:23.01:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D68AC1E5-1756-4838-8BE5-78B2F1435A6C"
}
],
"operator": "OR"
}
]
}
]