CVE-2023-3042

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-3042

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3042.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-3042

Published

2023-10-17T23:15:11.920Z

Modified

2026-04-10T04:57:20.625022Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edittextinc.jsp , which should return a 404 response but didn't.

The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .

To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.

Specifically, they can use the DOTURINORMALIZATIONFORBIDDENSTRINGS environmental variable to add // to the list of invalid strings.

Additionally, the DOTURINORMALIZATIONFORBIDDENREGEX variable offers more detailed control, for instance, to block //html.* URLs.

Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+

References

https://www.dotcms.com/security/SI-68

Affected packages

Git / github.com/dotcms/core

Affected ranges

Type

GIT

Repo

https://github.com/dotcms/core

Events

Introduced

Last affected

0e00952a2949626727d0e1bc884bab36505e6553

Introduced

Last affected

7d604e575b3c41eef5111cb640f287aa9b1f831d

Introduced

Last affected

cd47f803452f1ec7a122f499bba63591e601f283

Introduced

Last affected

9106fff61c040ca47230b318b1cf78cd0fcc49d2

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.3.8"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "21.06"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "22.03"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.01"
        }
    ]
}

Affected versions

22.*

22.10.1

3.*

3.0

3.5

3.5_Preview01

3.5_Preview02

3.6.0

pre3.*

pre3.5buildrevert

v21.*

v21.06

v22.*

v22.03

v23.*

v23.01

v5.*

v5.3.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3042.json"