Overview
The dotCMS content management system version 1.9 and possibly earlier versions, contains a vulnerability that allows users with the appropriate permissions to create a malicious template with arbitrary code.
Description
An authenticated dotCMS user with the permissions required to author and upload templates may create a malicious XSLT or Velocity template that can execute arbitrary java code. The arbitrary java code will run with the permissions of the web service account. |
Impact
An authenticated attacker with the permissions to create a template may upload a malicious XSLT or Velocity template that can run arbitrary java code. In some cases, the attacker may be able to exploit this vulnerability to obtain a shell on the web server. |
Solution
Apply an Update dotCMS version 1.9.5.1 or 2.0.1 and later address these vulnerabilities. If you are unable to upgrade please consider the following workarounds. |
Workarounds |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 8.5 | AV:N/AC:M/Au:S/C:C/I:C/A:C |
| Temporal | 6.9 | E:POC/RL:U/RC:UC |
| Environmental | 6.9 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Ben Murphy for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2012-1826 |
| Date Public: | 2012-05-25 |
| Date First Published: | 2012-05-25 |
| Date Last Updated: | 2012-05-25 12:26 UTC |
| Document Revision: | 26 |