Assetnote researchers discovered that popular open-source content management system dotCMS, which has more than 10,000 users across over 70 countries, is being impacted by a critical pre-authenticated remote code execution flaw, which could be exploited to facilitate arbitrary command execution, reports The Hacker News.
Threat actors could abuse the vulnerability, tracked as CVE-2022-26352, to upload arbitrary files, said Assetnote's Shubham Shah. "By uploading a JSP file to the tomcat's root directory, it is possible to achieve code execution, leading to command execution," Shah added. The bug has already been addressed in dotCMS versions 22.03, 5.3.8.10, and 21.06.7 after being reported by Assetnote in February. "When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the file down in a temp directory. In the case of this vulnerability, dotCMS does not sanitize the filename passed in via the multipart request header and thus does not sanitize the temp file's name," said dotCMS.