CVE-2023-3042

CVSS Score of 10 (low)

Details

Published Oct 17, 2023
Updated: Oct 25, 2023
CWE ID 79
CWE ID 20

Summary

CVE-2023-3042 is a vulnerability affecting dotCMS versions 23.06+ and LTS 22.0. The flaw is found in the NormalizationFilter, which fails to remove double slashes (//) from URLs, potentially allowing for XSS and access control bypasses. The issue can be observed in URLs like https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp, which should result in a 404 response but does not. To mitigate the vulnerability, users can block URLs with double slashes at firewalls or utilize dotCMS config variables such as DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS and DOT_URI_NORMALIZATION_FORBIDDEN_REGEX. The risk score for this vulnerability is 25, and it has been assigned a baseSeverity of "MEDIUM" by [email protected] and NIST.

Share

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-3042 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options