The CERT Vulnerability Notes Database’s vulnerability note #168699 listed multiple vulnerabilities with the open source content management system dotCMS.
The note listed listed CVE-2017-3187 , CVE-2017-3188 and CVE-2017-3189, all associated with dotCMS Enterprise Pro, that can be used in conjunction with each other to move files and allow remote code execution.
CERT is currently unaware of any solution to these issues.
CVE-2017-3187 contains the cross-site forgery issue in the “Push Publishing” feature in Enterprise Pro that gives an attacker the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.
CVE-2017-3188 covers incidents when “Bundle” tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its contents are not properly checked, allowing for writing files to arbitrary directories on the file system. This issue can be used in conjunction with CVE-2017-3187 to upload these archives directly to the attacker.
CVE-2017-3189 involves unrestricted Upload of File with Dangerous Type and can be combined with the previous vulnerability to enable remote code execution.