← Advisories

dotCMS 3.2.4 Multiple Vulnerabilities

Medium

Advisory ID

ZSL-2015-5290

Release Date

08 December 2015

Vendor

dotCMS Software, LLC - http://www.dotcms.com

Affected Version

3.2.4 (Enterprise)

CVE

N/A

Tested On

Apache-Coyote/1.1

Summary

DotCMS is the next generation of Content Management System (CMS). Quick to deploy, open source, Java-based, open APIs, extensible and massively scalable, dotCMS can rapidly deliver personalized, engaging multi-channel sites, web apps, campaigns, one-pagers, intranets - all types of content driven experiences - without calling in your developers.

Description

The application suffers from multiple security vulnerabilities including: Open Redirection, multiple Stored and Reflected XSS and Cross-Site Request Forgery (CSRF).

Proof of Concept

dotcms_mv.txtTXT

Disclosure Timeline

19.11.2015Vulnerabilities discovered.

23.11.2015Vendor contacted.

23.11.2015Vendor responds asking more details.

23.11.2015Sent details to the vendor.

23.11.2015Working with the vendor.

30.11.2015Asked vendor for status update.

30.11.2015Vendor confirms issues, created patch, version 3.3 release in two weeks.

04.12.2015Vendor releases version 3.3 to address these issues.

08.12.2015Coordinated public security advisory released.