VYPR
Unrated severityNVD Advisory· Published Oct 17, 2023· Updated Jun 12, 2025

CNA SHORTNAME: dotCMSORG UUID: 5b9d93f2-25c7-46b4-ab60-d201718c9dd8

CVE-2023-3042

Description

In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't.

The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .

To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.

Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings.

Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.

Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+

Affected products

2
  • Dotcms/Dotcmsllm-fuzzy2 versions
    <23.06 || <22.03.7 || <23.01.4+ 1 more
    • (no CPE)range: <23.06 || <22.03.7 || <23.01.4
    • (no CPE)range: 5.3.8

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.