SB2017072024 - Multiple vulnerabilities in dotCMS

Description

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2017-15219)

The vulnerability allows a remote authenticated user to read and manipulate data.

The dotCMS 4.1.1 application is vulnerable to Stored Cross-Site Scripting (XSS) affecting a vanity-urls Title field, a containers Description field, and a templates Description field.

2) Path traversal (CVE-ID: CVE-2017-11466)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in com/dotmarketing/servlets/AjaxFileUploadServlet.class in dotCMS 4.1.1. A remote authenticated attacker can send a specially crafted HTTP request and remote authenticated administrators to upload .jsp files to arbitrary locations via directory traversal sequences in the fieldName parameter to servlets/ajax_file_upload. This results in arbitrary code execution by requesting the .jsp file at a /assets URI.

Remediation

Install update from vendor's website.

References

• https://raw.githubusercontent.com/badbiddy/Vulnerability-Disclosure/master/dotCMS%20%3E%204.1.1%20-%20Stored%20XSS
• http://seclists.org/fulldisclosure/2017/Jul/33
• https://github.com/dotCMS/core/issues/12131
• https://packetstormsecurity.com/files/143383/dotcms411-shell.txt