otCMS 3.2.4 Multiple Vulnerabilities Vendor: dotCMS Software, LLC Product web page: http://www.dotcms.com Affected version: 3.2.4 (Enterprise) Summary: DotCMS is the next generation of Content Management System (CMS). Quick to deploy, open source, Java-based, open APIs, extensible and massively scalable, dotCMS can rapidly deliver personalized, engaging multi-channel sites, web apps, campaigns, one-pagers, intranets - all types of content driven experiences - without calling in your developers. Desc: The application suffers from multiple security vulnerabilities including: Open Redirection, multiple Stored and Reflected XSS and Cross-Site Request Forgery (CSRF). Tested on: Apache-Coyote/1.1 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5290 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5290.php Vendor: http://dotcms.com/docs/latest/change-log https://github.com/dotCMS/core/commit/7b86fc850bf547e8c82366240dae27e7e56b4305 https://github.com/dotCMS/core/commit/1fdebbbd76619992356e9443230e35be8a2b60c3 19.11.2015 -- 1. Open Redirect via '_EXT_LANG_redirect' GET parameter: -------------------------------------------------------- 2. CSRF Add Admin: ------------------
3. Multiple Stored And Reflected XSS: ------------------------------------- POST /dwr/call/plaincall/TagAjax.addTag.dwr HTTP/1.1 Host: callCount=1 windowName=c0-param0 c0-scriptName=TagAjax c0-methodName=addTag c0-id=0 c0-param0=