The open-source content management system dotCMS has been hacked after a code vulnerability was found.
dotCMS is written in Java and is built to manage digital content and websites and mobile apps.
A vulnerability in a pre-authenticated remote code execution was disclosed in the content management system, which is the CMS platform of choice for approximately 10,000 clients across 70 countries. Its clients range from mid-sized businesses all the way up to Fortune 500 companies.
The flaw was tracked down as CVE-2022-26352. It stems from an attack on its directory traversal while making file uploads, making it possible for malicious users to execute arbitrary commands on the underlying system.
“An attacker can upload arbitrary files to the system,” said Shubham Shah in a report for the cyber security company Assetnote. “By uploading a JSP file to the tomcat’s root directory, it is possible to achieve code execution, leading to command execution.”
What this boils down to is that the flaw in the arbitrary file upload is defenseless if some user wants to replace already existing files in the system with a web shell, which is an interface that enables a web server to be accessed remotely – usually for the purpose of cyberattacks.
“When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the file down in a temp directory,” according to dotCMS. “In the case of this vulnerability, dotCMS does not sanitize the filename passed in via the multipart request header and thus does not sanitize the temp file’s name.”
The CMS platform went on to add that “In the case of this exploit, an attacker can upload a special .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.”