Directory Traversal Vulnerability in dotCMS by dotCMS
CVE-2022-26352
Key Information:
Badges
What is CVE-2022-26352?
A directory traversal vulnerability exists in the ContentResource API of dotCMS versions 3.0 through 22.02. This flaw allows attackers to craft multipart form requests that can upload files with unsanitized filenames. If anonymous content creation is enabled, an unauthenticated attacker may exploit this vulnerability to upload executable files, such as .jsp files, potentially leading to remote code execution on the server. Proper security measures should be implemented to ensure file uploads are sanitized and restricted.
CISA has reported CVE-2022-26352
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2022-26352 as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Apply updates per vendor instructions.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
94% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π°
Used in Ransomware
- πΎ
Exploit known to exist
- π¦
CISA Reported
Vulnerability published
- π‘
Public PoC available
Vulnerability Reserved