Access Control Bypass in dotCMS Affects Sensitive Information Retrieval
CVE-2022-35740

6.1MEDIUM

Key Information:

Vendor: Dotcms
Status: Dotcms
Vendor: CVE Published:; 10 November 2022

What is CVE-2022-35740?

An access control bypass vulnerability in dotCMS prior to version 22.06 allows remote attackers to exploit a semicolon in a URL to introduce matrix parameters. This vulnerability leverages specific placements of semicolons within URIs, enabling attackers to bypass standard path-based protections that enforce user authentication. As a result, unauthorized users may gain access to sensitive files and resources that are typically restricted to logged-in users. The exploitation of this vulnerability can also facilitate further attacks, such as cross-site scripting (XSS), when combined with other malicious code. Organizations using affected versions are strongly advised to implement the latest patches to safeguard against these potential security breaches.

References

https://www.dotcms.com/security/SI-63

https://github.com/dotCMS/patches-hotfixes/tree/master/co...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 10, 2022
Vulnerability Reserved
Jul 13, 2022

JSON

Dotcms

What is CVE-2022-35740?

References

CVSS V3.1

Timeline