8 matches found
CVE-2022-26352
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous...
CISA Adds 10 New Known Actively Exploited Vulnerabilities to its Catalog
The U.S. Cybersecurity and Infrastructure Security Agency CISA on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities KEV Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics. The issue, tracked ...
dotCMS Arbitrary File Upload (CVE-2022-26352; CVE-2018-5445)
An arbitrary file upload vulnerability exists in dotCMS. Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the vulnerable system with administrative privileges...
CVE-2022-26352
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous...
CVE-2022-26352
DotCMS ContentResource API (CVE-2022-26352) vulnerable to arbitrary file upload via POST /api/content in 3.0–22.02. An unsanitized filename in multipart form can cause directory traversal, saving files outside the intended storage. If anonymous content creation is enabled, an attacker could uploa...
Metasploit Weekly Wrap-Up
Ask and you may receive Module suggestions for the win, this week we see a new module written by jheysel-r7 based on CVE-2022-26352 that happens to have been suggested by jvoisin in the issue queue last month. This module targets an arbitrary file upload in dotCMS versions before 22.03, 5.3.8.10,...
dotCMS Shell Upload
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'DotCMS RCE via Arbitrary File Upload.', 'Description' = %q When files are uploaded into dotCMS via the content API, but before they become conten...
CVE-2022-26352
creationtimestamp| type| source ---|---|--- 2022-05-04 14:13:23+00:00| seen| https://t.me/thehackernews/2146 2022-06-02 13:52:54+00:00| seen| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/dotcmsfileuploadrce.rb 2022-07-03 06:46:51+00:00|...