CVE-2023-3042

In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .  To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+
References
Link Resource
https://www.dotcms.com/security/SI-68 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:dotcms:dotcms:5.3.8:*:*:*:*:*:*:*
cpe:2.3:a:dotcms:dotcms:21.06:*:*:*:*:*:*:*
cpe:2.3:a:dotcms:dotcms:22.03:*:*:*:*:*:*:*
cpe:2.3:a:dotcms:dotcms:23.01:*:*:*:*:*:*:*

History

30 Sep 2024, 16:15

Type Values Removed Values Added
CWE CWE-20
Summary (en) In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .  To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+ (en) In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .  To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+

25 Oct 2023, 14:31

Type Values Removed Values Added
First Time Dotcms dotcms
Dotcms
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
References (MISC) https://www.dotcms.com/security/SI-68 - (MISC) https://www.dotcms.com/security/SI-68 - Vendor Advisory
CWE CWE-79
CPE cpe:2.3:a:dotcms:dotcms:23.01:*:*:*:*:*:*:*
cpe:2.3:a:dotcms:dotcms:5.3.8:*:*:*:*:*:*:*
cpe:2.3:a:dotcms:dotcms:21.06:*:*:*:*:*:*:*
cpe:2.3:a:dotcms:dotcms:22.03:*:*:*:*:*:*:*

23 Oct 2023, 17:15

Type Values Removed Values Added
References
  • {'url': 'https://auth.dotcms.com/security/SI-68', 'name': 'https://auth.dotcms.com/security/SI-68', 'tags': [], 'refsource': 'MISC'}
  • (MISC) https://www.dotcms.com/security/SI-68 -

17 Oct 2023, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-17 23:15

Updated : 2024-09-30 16:15


NVD link : CVE-2023-3042

Mitre link : CVE-2023-3042

CVE.ORG link : CVE-2023-3042


JSON object : View

Products Affected

dotcms

  • dotcms
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')