CVE-2022-26352

nvd nist nuclei

Published: Jul 17, 2022Modified: Nov 3, 2025CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

Affected (1)

Products: Dotcms: Dotcms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dotcms Dotcms	From 3.0 to 22.02

References (5)

http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://groups.google.com/g/dotcms

Source: cve@mitre.org

Permissions RequiredThird Party Advisory

http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://groups.google.com/g/dotcms

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredThird Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26352

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.