Vulnerability Details : CVE-2023-3042
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't.
The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .
To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.
Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings.
Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.
Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2023-3042
- cpe:2.3:a:dotcms:dotcms:5.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:dotcms:dotcms:21.06:*:*:*:*:*:*:*
- cpe:2.3:a:dotcms:dotcms:22.03:*:*:*:*:*:*:*
- cpe:2.3:a:dotcms:dotcms:23.01:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-3042
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 28 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-3042
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
dotCMS LLC |
CWE ids for CVE-2023-3042
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security@dotcms.com (Secondary)
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security@dotcms.com (Secondary)
References for CVE-2023-3042
-
https://auth.dotcms.com/security/SI-68
Broken Access Control — Normalization Filter | dotCMS
-
https://www.dotcms.com/security/SI-68
Broken Access Control — Normalization Filter | dotCMSVendor Advisory
Jump to