In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't.
The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .
To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.
Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings.
Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.
Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+
References
Link | Resource |
---|---|
https://www.dotcms.com/security/SI-68 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
30 Sep 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
CWE | ||
Summary | (en) In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 . To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+ |
25 Oct 2023, 14:31
Type | Values Removed | Values Added |
---|---|---|
First Time |
Dotcms dotcms
Dotcms |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
References | (MISC) https://www.dotcms.com/security/SI-68 - Vendor Advisory | |
CWE | CWE-79 | |
CPE | cpe:2.3:a:dotcms:dotcms:23.01:*:*:*:*:*:*:* cpe:2.3:a:dotcms:dotcms:5.3.8:*:*:*:*:*:*:* cpe:2.3:a:dotcms:dotcms:21.06:*:*:*:*:*:*:* cpe:2.3:a:dotcms:dotcms:22.03:*:*:*:*:*:*:* |
23 Oct 2023, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
17 Oct 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-10-17 23:15
Updated : 2024-09-30 16:15
NVD link : CVE-2023-3042
Mitre link : CVE-2023-3042
CVE.ORG link : CVE-2023-3042
JSON object : View
Products Affected
dotcms
- dotcms
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')