Description
Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxFileUploadServlet.class in dotCMS 4.1.1 allows remote authenticated administrators to upload .jsp files to arbitrary locations via directory traversal sequences in the fieldName parameter to servlets/ajax_file_upload. This results in arbitrary code execution by requesting the .jsp file at a /assets URI.
References (3)
Core 3
Core References
Exploit, Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/fulldisclosure/2017/Jul/33
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/dotCMS/core/issues/12131
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/143383/dotcms411-shell.txt
Scores
CVSS v3
7.2
EPSS
0.0305
EPSS Percentile
86.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
dotcms/dotcms
4.1.1
Published
Jul 20, 2017
Tracked Since
Feb 18, 2026