A pre-authenticated remote code execution (RCE) flaw was discovered inside the dotCMS, a source content management system. The system is coded in Java and has several users that reach about 10,000 individuals across over 70 countries globally. Fortune 500 brands and average-sized businesses comprise these.
The vulnerability in the dotCMS could allow RCE if threat actors exploited it appropriately.
The critical vulnerability in the dotCMS is tracked by researchers as CVE-2022-26352, which branches from a directory traversal campaign when operating file uploads, allowing a threat actor or group to run arbitrary commands on the infected system.
According to a research team who discovered the flaw, a threat entity can upload arbitrary files to the infected system. In addition, it is probable to achieve remote code execution that can lead to command execution if an adversary uploads a JSP file to the tomcat’s root directory. This detail means that hackers can exploit the arbitrary file upload vulnerability to substitute existing files in the system with a web shell.
In other words, it can be utilised by malicious operators to obtain persistent remote access.
However, the researchers noted that the nature of the critical flaw was that it could be transformed into a malicious tool to obtain command execution, although the exploit made it possible to code arbitrary JS files provided by the application.
A separate researcher stated that it discovered and reported a related flaw a couple of months ago, which was immediately patched by the concerned operators and provided new versions.
The company said that if users upload files into the dotCMS through the content API, the content management systems usually write the file down in a temporary directory before becoming content.
If the vulnerability mentioned earlier is actual, dotCMS may not be sanitising the filename passed in through the multipart request header and the temp file’s name. Therefore, an attacker can upload a unique [.]jsp file to the ROOT or web app directory of dotCMS, enabling the threat actors for remote code execution.
