CVE-2022-26352 The ContentResource API in dotCMS 3.0 through 22.02 had an issue where attackers can craft a multipart form request to post a file whose filename is not sanitized.

dotCMS 3.0 through 22.02 is not vulnerable if anonymous content creation is disabled. There are no known attacks against this API. Due to this issue, we recommend installing dotCMS 3.1, which was released on March 26, 2019.

dotCMS 3.0 through 22.02 - TLS Vulnerability

A TLS vulnerability exists in the CommerceScript API for dotCMS. The TLS vulnerability is caused by a missing check from the authorization process of an SSL certificate.
As a result, an unauthenticated attacker may be able to intercept any information transmitted by your server to the CommerceScript API.
To avoid this vulnerability, ensure that you have a valid SSL certificate installed on your server and that you are using the correct protocol version (1 or 2) when communicating with the CommerceScript API.
As part of our security release process, we recommend that you upgrade to dotCMS 3.1 which was released on March 26th 2019.

What is dotCMS? dotCMS is an open-source content management system (CMS) that provides a web-based interface to manage content and users. DotCMS 3.0 introduced the capability of allowing anonymous content creation, which allows any user to create a new page on your website with no login required.

How to protect your site from CVE-2022 -26352

In order to protect your site from this vulnerability, install dotCMS 3.1, which was released on March 26th 2019. It is highly encouraged that you do not disable anonymous content creation in the CMS framework's configuration file.

Timeline

Published on: 07/17/2022 22:15:00 UTC
Last modified on: 07/25/2022 22:38:00 UTC

References