|Requires Admin Access:||No|
|Fix Version:||22.06, 22.03.2, 21.06.9, 22.214.171.124|
Some Java Application frameworks, including those used by Spring or Tomcat, allow the use of “matrix parameters” — URI parameters separated by semicolons. Through precise semicolon placement in a URI, it is possible to exploit this feature to avoid dotCMS's path-based XSS prevention/require login filters and access restricted resources.
For example, the semicolon in the URL below would reveal to anyone a text file ordinarily only visible to signed-in users:
The ability to circumvent these filters can be chained with other code to expolit dotCMS using XSS attacks.
dotCMS recommends upgrading to one of the versions of dotCMS patched against this vulnerability, which include the following, as well as subsequent versions:
It is possible to create a WAF rule that disallows ; (semi-colons) specifically in the the URI portion of a request URL. This would effectivily block any exploit of the vunerability.
The following OSGi plugin, designed to work with versions dotCMS 5.1.6 and later, can be used to mitigate the issue in running dotCMS instances:
dotCMS has already applied mitigations for this issue to all dotCMS Cloud customers; no action is needed.