Blurred background image

The Content Management System dotCMS is Hacked

The open-source content management system dotCMS has been hacked after a code vulnerability was found. 

dotCMS is written in Java and is built to manage digital content and websites and mobile apps.  The Content Management System dotCMS is Hacked

A vulnerability in a pre-authenticated remote code execution was disclosed in the content management system, which is the CMS platform of choice for approximately 10,000 clients across 70 countries. Its clients range from mid-sized businesses all the way up to Fortune 500 companies. 

The flaw was tracked down as CVE-2022-26352. It stems from an attack on its directory traversal while making file uploads, making it possible for malicious users to execute arbitrary commands on the underlying system. 

“An attacker can upload arbitrary files to the system,” said Shubham Shah in a report for  the cyber security company Assetnote. “By uploading a JSP file to the tomcat’s root directory, it is possible to achieve code execution, leading to command execution.” The Content Management System dotCMS is Hacked

What this boils down to is that the flaw in the arbitrary file upload is defenseless if some user wants to replace already existing files in the system with a web shell, which is an interface that enables a web server to be accessed remotely – usually for the purpose of cyberattacks. 

That’s not all. Because despite the flaw making it possible to write JavaScript files, those that researched the flaw added that it “could be weaponized to gain command execution.” 

“When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the file down in a temp directory,” according to dotCMS. “In the case of this vulnerability, dotCMS does not sanitize the filename passed in via the multipart request header and thus does not sanitize the temp file’s name.” 

The CMS platform went on to add that “In the case of this exploit, an attacker can upload a special .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.” 

PS: ArganoUV is one of the world’s leading CMS platform specialists. Contact us to see how we can work together. 

Related Ideas

If you got value from this article, you may enjoy these other articles, as well. We’re always adding value!

How to Manage Augmented Staff
  • ArganoUV
  • Strategy
  • Technology

How to Manage Augmented Staff

How to manage staff augmentation processes.
Common Issues for Staff Augmentation
  • ArganoUV
  • Strategy
  • Technology

Common Issues for Staff Augmentation

What are some of the common issues that are associated with staff augmentation?
The Nearshore Talent in Latin America
  • ArganoUV
  • Strategy
  • Technology

The Nearshore Talent in Latin America

The great potential of nearshoring in Latin America.

Latest ideas

Our latest thinking about SF Commerce Cloud.

eCommerce & Headless Tech
  • ArganoUV
  • Technology

eCommerce & Headless Tech

The link between ecommerce platforms and headless technology.
The Role of UX in an EPM Platform
  • ArganoUV
  • Software
  • UX

The Role of UX in an EPM Platform

The function of UX in enterprise performance management.
This Week in eCommerce Data: May 20th, 2022
  • ArganoUV
  • This Week in eCommerce Data

This Week in eCommerce Data: May 20th, 2022

This week’s ecommerce roundup focuses on in-store digital experiences and livestream commerce popularity by platform, plus more.

How can we achieve
awesomeness together?