CVE-2017-5344

Name of the Vulnerable Software and Affected Versions dotCMS versions prior to 3.6.2

Description An issue was discovered in the findChildrenByFilter() function, which is called by the web-accessible path /categoriesServlet. This function performs string interpolation and direct SQL query execution. Although SQL quote escaping and a keyword blacklist were implemented as part of a remediation effort, these controls can be overcome in the case of the q and inode parameters to the /categoriesServlet path. This allows for blind boolean SQL injection vectors in either parameter. The /categoriesServlet web path can be accessed remotely and without authentication in a default dotCMS deployment.

Recommendations For dotCMS versions prior to 3.6.2, update to version 3.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the /categoriesServlet path to minimize the risk of exploitation. Avoid using the q and inode parameters in the affected API endpoint until the issue is resolved.