The "reset password" login page accepted an HTML injection via URL parameters.
This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E
This will result in a view along these lines:
* OWASP Top 10 - A03: Injection
* CVSS Score: 5.4
* AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
* https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E
This will result in a view along these lines:
* OWASP Top 10 - A03: Injection
* CVSS Score: 5.4
* AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
* https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Metrics
Affected Vendors & Products
Configuration 1 [-]
|
No data.
No data.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2024-32505 | The "reset password" login page accepted an HTML injection via URL parameters. This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E This will result in a view along these lines: * OWASP Top 10 - A03: Injection * CVSS Score: 5.4 * AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator * https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
| Link | Providers |
|---|---|
| https://www.dotcms.com/security/SI-71 |
|
History
Tue, 13 Aug 2024 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Dotcms
Dotcms dotcms |
|
| Weaknesses | CWE-79 | |
| CPEs | cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:* cpe:2.3:a:dotcms:dotcms:23.10.24.0:*:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:23.10.24:10:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:23.10.24:1:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:23.10.24:2:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:23.10.24:3:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:23.10.24:4:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:23.10.24:5:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:23.10.24:6:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:23.10.24:7:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:23.10.24:8:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:23.10.24:9:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:24.04.24:-:*:*:*:*:*:* cpe:2.3:a:dotcms:dotcms:24.04.24:0:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:24.04.24:1:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:24.04.24:2:*:*:lts:*:*:* cpe:2.3:a:dotcms:dotcms:24.04.24:3:*:*:lts:*:*:* |
|
| Vendors & Products |
Dotcms
Dotcms dotcms |
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: dotCMS
Published:
Updated: 2024-08-01T20:26:57.098Z
Reserved: 2024-04-17T19:20:07.143Z
Link: CVE-2024-3938
Vulnrichment
Updated: 2024-08-01T20:26:57.098Z
NVD
Status : Modified
Published: 2024-07-25T22:15:08.903
Modified: 2024-11-21T09:30:44.540
Link: CVE-2024-3938
Redhat
No data.
OpenCVE Enrichment
No data.