← Volver a CVEs
CVE-2022-26352
CRITICALCISA KEV9.8
Descripcion
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.
Detalles CVE
Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado7/17/2022
Ultima modificacion11/3/2025
Fuentekev
Avistamientos honeypot0
CISA KEV
VendedordotCMS
ProductodotCMS
Nombre vulnerabilidaddotCMS Unrestricted Upload of File Vulnerability
Fecha inclusion KEV2022-08-25
Fecha limite remediacion2022-09-15
Uso en ransomwareKnown
Productos afectados
dotcms:dotcms
Referencias
https://groups.google.com/g/dotcms(cve@mitre.org)
http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html(af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/g/dotcms(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26352(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.