2024-07-25 23:58:13 +00:00
{
"id" : "CVE-2024-3938" ,
"sourceIdentifier" : "security@dotcms.com" ,
"published" : "2024-07-25T22:15:08.903" ,
2024-12-08 03:06:42 +00:00
"lastModified" : "2024-11-21T09:30:44.540" ,
"vulnStatus" : "Modified" ,
2024-07-25 23:58:13 +00:00
"cveTags" : [ ] ,
"descriptions" : [
{
"lang" : "en" ,
"value" : "The \"reset password\" login page accepted an HTML injection via URL parameters.\n\nThis has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E \n\nThis will result in a view along these lines:\n\n\n\n\n\n * OWASP Top 10 - A03: Injection\n * CVSS Score: 5.4\n * AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator \n * https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator"
2024-07-26 14:03:12 +00:00
} ,
{
"lang" : "es" ,
"value" : "La p\u00e1gina de inicio de sesi\u00f3n \"reset password\" acept\u00f3 una inyecci\u00f3n de HTML a trav\u00e9s de par\u00e1metros de URL. Esto ya se ha rectificado mediante un parche y, como tal, no se puede demostrar mediante el enlace del sitio de demostraci\u00f3n. Aquellos interesados en ver la vulnerabilidad pueden activar un http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com% 22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E Esto dar\u00e1 como resultado una vista similar a estas l\u00edneas: * OWASP Top 10 - A03: Inyecci\u00f3n * Puntuaci\u00f3n CVSS: 5,4 * AV:N/AC:L/PR :N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator * https://nvd.nist. gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https: //nvd.nist.gov/vuln-metrics/cvss/v3-calculator"
2024-07-25 23:58:13 +00:00
}
] ,
"metrics" : {
"cvssMetricV31" : [
2024-08-13 16:03:13 +00:00
{
2024-12-08 03:06:42 +00:00
"source" : "security@dotcms.com" ,
"type" : "Secondary" ,
2024-08-13 16:03:13 +00:00
"cvssData" : {
"version" : "3.1" ,
2024-12-08 03:06:42 +00:00
"vectorString" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" ,
"baseScore" : 5.4 ,
"baseSeverity" : "MEDIUM" ,
2024-08-13 16:03:13 +00:00
"attackVector" : "NETWORK" ,
"attackComplexity" : "LOW" ,
"privilegesRequired" : "NONE" ,
"userInteraction" : "REQUIRED" ,
2024-12-08 03:06:42 +00:00
"scope" : "UNCHANGED" ,
2024-08-13 16:03:13 +00:00
"confidentialityImpact" : "LOW" ,
"integrityImpact" : "LOW" ,
2024-12-08 03:06:42 +00:00
"availabilityImpact" : "NONE"
2024-08-13 16:03:13 +00:00
} ,
"exploitabilityScore" : 2.8 ,
2024-12-08 03:06:42 +00:00
"impactScore" : 2.5
2024-08-13 16:03:13 +00:00
} ,
2024-07-25 23:58:13 +00:00
{
2024-12-08 03:06:42 +00:00
"source" : "nvd@nist.gov" ,
"type" : "Primary" ,
2024-07-25 23:58:13 +00:00
"cvssData" : {
"version" : "3.1" ,
2024-12-08 03:06:42 +00:00
"vectorString" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" ,
"baseScore" : 6.1 ,
"baseSeverity" : "MEDIUM" ,
2024-07-25 23:58:13 +00:00
"attackVector" : "NETWORK" ,
"attackComplexity" : "LOW" ,
"privilegesRequired" : "NONE" ,
"userInteraction" : "REQUIRED" ,
2024-12-08 03:06:42 +00:00
"scope" : "CHANGED" ,
2024-07-25 23:58:13 +00:00
"confidentialityImpact" : "LOW" ,
"integrityImpact" : "LOW" ,
2024-12-08 03:06:42 +00:00
"availabilityImpact" : "NONE"
2024-07-25 23:58:13 +00:00
} ,
"exploitabilityScore" : 2.8 ,
2024-12-08 03:06:42 +00:00
"impactScore" : 2.7
2024-07-25 23:58:13 +00:00
}
]
} ,
"weaknesses" : [
2024-08-13 16:03:13 +00:00
{
2024-12-08 03:06:42 +00:00
"source" : "security@dotcms.com" ,
"type" : "Secondary" ,
2024-08-13 16:03:13 +00:00
"description" : [
{
"lang" : "en" ,
2024-12-08 03:06:42 +00:00
"value" : "CWE-20"
2024-08-13 16:03:13 +00:00
}
]
} ,
2024-07-25 23:58:13 +00:00
{
2024-12-08 03:06:42 +00:00
"source" : "nvd@nist.gov" ,
"type" : "Primary" ,
2024-07-25 23:58:13 +00:00
"description" : [
{
"lang" : "en" ,
2024-12-08 03:06:42 +00:00
"value" : "CWE-79"
2024-07-25 23:58:13 +00:00
}
]
}
] ,
2024-08-13 16:03:13 +00:00
"configurations" : [
{
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*" ,
"versionStartIncluding" : "5.1.5" ,
"versionEndExcluding" : "23.01.18" ,
"matchCriteriaId" : "5D8CDD8C-0F92-4218-ACDB-C3E691F928AF"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*" ,
"versionStartIncluding" : "23.02" ,
"versionEndIncluding" : "23.09.7" ,
"matchCriteriaId" : "E85B4224-34E8-47CD-8F08-8B129868AF1F"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*" ,
"versionStartIncluding" : "23.12.21" ,
"versionEndIncluding" : "24.04.23" ,
"matchCriteriaId" : "6A6601A2-B008-44C9-A7C4-1DB2D613BD14"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*" ,
"versionStartIncluding" : "24.05.13" ,
"versionEndExcluding" : "24.05.31" ,
"matchCriteriaId" : "379748A4-D76F-4402-9A4F-E509C6735285"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:23.10.24:1:*:*:lts:*:*:*" ,
"matchCriteriaId" : "33DBCA2A-D4E2-4AE6-B6E0-FD0A277266F4"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:23.10.24:10:*:*:lts:*:*:*" ,
"matchCriteriaId" : "DECC3919-5044-41AF-9AAA-A964027F51C1"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:23.10.24:2:*:*:lts:*:*:*" ,
"matchCriteriaId" : "342C11DD-7760-42AE-8670-4461ECB51E4C"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:23.10.24:3:*:*:lts:*:*:*" ,
"matchCriteriaId" : "90B73A81-7202-4B0B-822B-4F2EE4480663"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:23.10.24:4:*:*:lts:*:*:*" ,
"matchCriteriaId" : "0BFA7220-B846-451B-A7B2-C3DC87767575"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:23.10.24:5:*:*:lts:*:*:*" ,
"matchCriteriaId" : "258813CA-66A7-4DCA-883D-884FB88430DC"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:23.10.24:6:*:*:lts:*:*:*" ,
"matchCriteriaId" : "E69C8B72-A38C-4D97-83BB-DCE392D3ABD0"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:23.10.24:7:*:*:lts:*:*:*" ,
"matchCriteriaId" : "B5309F19-2D65-4E87-87FD-2A0294008FF5"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:23.10.24:8:*:*:lts:*:*:*" ,
"matchCriteriaId" : "CBAEE45C-234C-4E5C-86CF-4F71A457D6F7"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:23.10.24:9:*:*:lts:*:*:*" ,
"matchCriteriaId" : "FD553D7C-158F-489D-8C4C-8E2E056D52BA"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:23.10.24.0:*:*:*:lts:*:*:*" ,
"matchCriteriaId" : "9692C9DB-6111-4EE6-8DE8-1614DF87F365"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:24.04.24:-:*:*:*:*:*:*" ,
"matchCriteriaId" : "EB1AD7A4-1F60-493C-8BB2-E13F44F3CCD6"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:24.04.24:0:*:*:lts:*:*:*" ,
"matchCriteriaId" : "EE62FB6F-DB41-47B4-B8F7-0B9C887781D5"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:24.04.24:1:*:*:lts:*:*:*" ,
"matchCriteriaId" : "395197BB-2613-43BA-9223-195461F993D3"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:24.04.24:2:*:*:lts:*:*:*" ,
"matchCriteriaId" : "72350E82-5B73-41A9-B3F1-8CA7BF389897"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:dotcms:dotcms:24.04.24:3:*:*:lts:*:*:*" ,
"matchCriteriaId" : "478A668F-DD76-4C0C-A444-A760C1AA5623"
}
]
}
]
}
] ,
2024-07-25 23:58:13 +00:00
"references" : [
{
2024-07-26 16:03:12 +00:00
"url" : "https://www.dotcms.com/security/SI-71" ,
2024-08-13 16:03:13 +00:00
"source" : "security@dotcms.com" ,
"tags" : [
"Vendor Advisory"
]
2024-12-08 03:06:42 +00:00
} ,
{
"url" : "https://www.dotcms.com/security/SI-71" ,
"source" : "af854a3a-2127-422b-91ae-364da2661108" ,
"tags" : [
"Vendor Advisory"
]
2024-07-25 23:58:13 +00:00
}
]
}
