CVE-2023-3042

Name of the Vulnerable Software and Affected Versions dotCMS versions prior to 23.06 dotCMS versions prior to LTS 22.03.7 dotCMS versions prior to LTS 23.01.4

Description A flaw in the NormalizationFilter of dotCMS does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. For example, the URL https://demo.dotcms.com//html/portlet/ext/files/edit text inc.jsp should return a 404 response but does not. The issue is due to an oversight in the default invalid URL character list, which can be viewed at the provided GitHub link. To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables, such as the DOT URI NORMALIZATION FORBIDDEN STRINGS environmental variable to add // to the list of invalid strings, or the DOT URI NORMALIZATION FORBIDDEN REGEX variable to block specific URLs, for instance, //html.* URLs.

Recommendations For versions prior to 23.06, update to version 23.06 or later. For versions prior to LTS 22.03.7, update to LTS 22.03.7 or later. For versions prior to LTS 23.01.4, update to LTS 23.01.4 or later. As a temporary workaround, consider blocking URLs with double slashes at firewalls or utilizing dotCMS config variables, such as the DOT URI NORMALIZATION FORBIDDEN STRINGS environmental variable to add // to the list of invalid strings, or the DOT URI NORMALIZATION FORBIDDEN REGEX variable to block specific URLs.