|Requires Admin Access:||Yes|
|Fix Version:||22.12+, LTS 21.06.12+, LTS 22.03.4+|
|Credit:||Christos - Minas Mathas|
An authenticated directory traversal vulnerability in dotCMS API can lead to RCE. A zip file at the "/api/integrity/_fixconflictsfromremote" endpoint is accepted and extracted without performing path traversal check. This can be exploited by sending a specially crafted zip file which contains directory traversal characters in the file content names (/../../xyz.sh). This allows for the contents to be extracted at an arbitrary path inside the system.
This vulnerability requires Admin privileges to exploit.