Description
dotCMS before 5.2.4 is vulnerable to directory traversal, leading to incorrect access control. It allows an attacker to read or execute files under $TOMCAT_HOME/webapps/ROOT/assets (which should be a protected directory). Additionally, attackers can upload temporary files (e.g., .jsp files) into /webapps/ROOT/assets/tmp_upload, which can lead to remote command execution (with the permissions of the user running the dotCMS application).
Remediation
References
Related Vulnerabilities
PrestaShop Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2019-13461)
MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-9481)
LimeSurvey Incorrect Default Permissions Vulnerability (CVE-2019-16185)
MySQL Use of Externally-Controlled Format String Vulnerability (CVE-2009-2446)
WordPress Plugin Participants Database Multiple Vulnerabilities (1.7.5.3)