Armis Vulnerability Intelligence Database

Description Preview

A vulnerability has been discovered in dotCMS where the NormalizationFilter component fails to properly strip double slashes (//) from URLs. This flaw can potentially enable attackers to bypass XSS protections and access controls. The issue exists because double slashes were not included in the default invalid URL character list, allowing URLs like https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp to be processed when they should have returned a 404 error.

Overview

This vulnerability (CVE-2023-3042) is classified as CWE-79 (Cross-site Scripting). The flaw in dotCMS's NormalizationFilter allows attackers to craft URLs with double slashes that bypass security controls. The oversight in the default invalid URL character list can be observed in the NormalizationFilter.java file. When exploited, this vulnerability could potentially allow attackers to execute malicious scripts in the context of other users' browsers, potentially leading to session hijacking, credential theft, or other client-side attacks.

Remediation

To address this vulnerability, users should:

Upgrade to a fixed version of dotCMS:
- Version 23.06 or newer
- LTS 22.03.7 or newer
- LTS 23.01.4 or newer

For users who cannot immediately upgrade, the following mitigations are available:

Block URLs containing double slashes at the firewall level
Configure dotCMS environmental variables:
- Set DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS to include // in the list of invalid strings
- Use DOT_URI_NORMALIZATION_FORBIDDEN_REGEX for more granular control, such as blocking URLs matching the pattern //html.*

References

Vendor Advisory: https://www.dotcms.com/security/SI-68
GitHub source code reference: https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

Accommodation & Food Services
Accommodation & Food Services
Administrative, Support, Waste Management & Remediation Services
Administrative, Support, Waste Management & Remediation Services
Agriculture, Forestry Fishing & Hunting
Agriculture, Forestry Fishing & Hunting
Arts, Entertainment & Recreation
Arts, Entertainment & Recreation
Construction
Construction
Educational Services
Educational Services
Finance and Insurance
Finance and Insurance
Health Care & Social Assistance
Health Care & Social Assistance
Information
Information
Management of Companies & Enterprises
Management of Companies & Enterprises
Manufacturing
Manufacturing
Mining
Mining
Other Services (except Public Administration)
Other Services (except Public Administration)
Professional, Scientific, & Technical Services
Professional, Scientific, & Technical Services
Public Administration
Public Administration
Real Estate Rental & Leasing
Real Estate Rental & Leasing
Retail Trade
Retail Trade
Transportation & Warehousing
Transportation & Warehousing
Utilities
Utilities
Wholesale Trade
Wholesale Trade

^{CVE-2023-3042:}Cross-site scripting (XSS) vulnerability in dotCMS due to improper URL normalization that fails to strip double slashes.

Description Preview

Overview

Remediation

References

Focus on What Matters

Let's talk!