Blurred background image

The Content Management System dotCMS is Hacked

May 13, 2022

The open-source content management system dotCMS has been hacked after a code vulnerability was found. 

dotCMS is written in Java and is built to manage digital content and websites and mobile apps.  The Content Management System dotCMS is Hacked

A vulnerability in a pre-authenticated remote code execution was disclosed in the content management system, which is the CMS platform of choice for approximately 10,000 clients across 70 countries. Its clients range from mid-sized businesses all the way up to Fortune 500 companies. 

The flaw was tracked down as CVE-2022-26352. It stems from an attack on its directory traversal while making file uploads, making it possible for malicious users to execute arbitrary commands on the underlying system. 

“An attacker can upload arbitrary files to the system,” said Shubham Shah in a report for  the cyber security company Assetnote. “By uploading a JSP file to the tomcat’s root directory, it is possible to achieve code execution, leading to command execution.” The Content Management System dotCMS is Hacked

What this boils down to is that the flaw in the arbitrary file upload is defenseless if some user wants to replace already existing files in the system with a web shell, which is an interface that enables a web server to be accessed remotely – usually for the purpose of cyberattacks. 

That’s not all. Because despite the flaw making it possible to write JavaScript files, those that researched the flaw added that it “could be weaponized to gain command execution.” 

“When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the file down in a temp directory,” according to dotCMS. “In the case of this vulnerability, dotCMS does not sanitize the filename passed in via the multipart request header and thus does not sanitize the temp file’s name.” 

The CMS platform went on to add that “In the case of this exploit, an attacker can upload a special .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.” 

PS: ArganoUV is one of the world’s leading CMS platform specialists. Contact us to see how we can work together. 

Related Ideas

If you got value from this article, you may enjoy these other articles, as well. We’re always adding value!

Ways To Make Staff Augmentation Work For Your Business
  • ArganoUV
  • Glimpses of ArganoUV
  • Technology

Ways To Make Staff Augmentation Work For Your Business

How can you make staff augmentation work for your business?
The Nearshore Talent in Latin America
  • ArganoUV
  • Strategy
  • Technology

The Nearshore Talent in Latin America

The great potential of nearshoring in Latin America.
How to Choose the Ideal Staff Augmentation Partner
  • ArganoUV
  • Technology

How to Choose the Ideal Staff Augmentation Partner

This is what to keep in mind when deciding on the right staff augmentation partner for...

Latest ideas

Our latest thinking about SF Commerce Cloud.

Core eCommerce Competencies
  • ArganoUV
  • Commerce

Core eCommerce Competencies

Core payment competencies in ecommerce.
The Benefits of eCommerce for Independent Pharmacies
  • ArganoUV
  • Pharma

The Benefits of eCommerce for Independent Pharmacies

Why go online if you’re an independent pharmacy?
Key Features for All eCommerce Pharmacies
  • ArganoUV
  • Pharma

Key Features for All eCommerce Pharmacies

What are the key features of a pharmacy digital store?

How can we achieve
awesomeness together?

What is Argano? | Argano