A pre-authenticated remote code execution flaw has been revealed in dotCMS, an open-source content management system written in Java and “used by over 10,000 clients in over 70 countries around the globe, from Fortune 500 brands and mid-sized businesses.”

The flaw, labelled CVE-2022-26352, originates from a directory traversal attack when uploading files, allowing an attacker to carry out arbitrary commands on the underlying system. 

“An attacker can upload arbitrary files to the system,” Shubham Shah of Assetnote said in a report. “By uploading a JSP file to the tomcat’s root directory, it is possible to achieve code execution, leading to command execution.”

The arbitrary file upload flaw can be exploited to replace files in the system with a  web shell, which can allow continuous remote access. 

The flaw could lead to arbitrary  JavaScript files being used by the application, and the researchers opine that the bug can be weaponized to execute commands.

AssetNote said it discovered and reported the flaw on February 21, 2022, following which patches have been released in versions 22.03,, and 21.06.7.

“When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the file down in a temp directory,” the company said. “In the case of this vulnerability, dotCMS does not sanitize the filename passed in via the multipart request header and thus does not sanitize the temp file’s name.”

“In the case of this exploit, an attacker can upload a special .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution,” it noted.