CVE-2022-35740: n/a in n/a
dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks, including those used by Spring or Tomcat, allow the use of matrix parameters: these are URI parameters separated by semicolons. Through precise semicolon placement in a URI, it is possible to exploit this feature to avoid dotCMS's path-based XSS prevention (such as "require login" filters), and consequently access restricted resources. For example, an attacker could place a semicolon immediately before a / character that separates elements of a filesystem path. This could reveal file content that is ordinarily only visible to signed-in users. This issue can be chained with other exploit code to achieve XSS attacks against dotCMS.
AI Analysis
Technical Summary
CVE-2022-35740 is a medium-severity vulnerability affecting dotCMS versions prior to 22.06, including certain long-term support (LTS) versions such as 5.3.8.12, 21.06.9, and 22.03.2. The vulnerability arises from dotCMS's improper handling of matrix parameters in URLs. Matrix parameters are URI parameters separated by semicolons, a feature supported by some Java application frameworks like Spring and Tomcat. By carefully inserting a semicolon immediately before a path separator ('/') in a URL, an attacker can bypass dotCMS's path-based access control mechanisms, such as filters that enforce login requirements. This bypass allows unauthorized remote attackers to access sensitive information that should be restricted to authenticated users. The vulnerability can also be chained with other exploits to perform cross-site scripting (XSS) attacks against dotCMS, as indicated by its association with CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 base score is 6.1 (medium), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), with low impact on confidentiality and integrity, and no impact on availability. No known exploits are currently reported in the wild. The vulnerability was publicly disclosed on November 10, 2022, and patches are available in the specified fixed versions. The root cause is the failure to properly validate and sanitize matrix parameters in URLs, leading to access control bypass and potential information disclosure and XSS risks.
Potential Impact
For European organizations using dotCMS, especially those running versions prior to 22.06 or the specified LTS versions, this vulnerability poses a risk of unauthorized access to sensitive content intended only for authenticated users. This could include confidential business data, internal documents, or user information hosted on dotCMS-powered websites or intranets. The ability to bypass login requirements undermines the integrity of access controls and could lead to data leakage. Additionally, the potential to chain this vulnerability with XSS attacks increases the risk of session hijacking, credential theft, or further compromise of web applications. Organizations in sectors such as government, finance, healthcare, and media, which often rely on content management systems like dotCMS, may face reputational damage, regulatory non-compliance (e.g., GDPR), and operational disruptions. However, the requirement for user interaction (e.g., clicking a crafted link) somewhat limits the exploitability, and no active exploitation has been reported to date. Still, the vulnerability’s network accessibility and scope change make it a significant concern for organizations with public-facing dotCMS instances.
Mitigation Recommendations
Upgrade dotCMS installations to version 22.06 or later, or apply the relevant patches for LTS versions (5.3.8.12, 21.06.9, 22.03.2) as soon as possible to eliminate the vulnerability. Implement strict input validation and sanitization on all URL parameters, specifically filtering or rejecting matrix parameters containing semicolons that could be used to manipulate path parsing. Configure web application firewalls (WAFs) to detect and block suspicious URL patterns containing semicolons before path separators, which are indicative of exploitation attempts targeting this vulnerability. Review and tighten access control policies within dotCMS to ensure that sensitive resources are not solely protected by path-based filters but also by robust authentication and authorization mechanisms. Conduct security awareness training for users to recognize and avoid clicking on suspicious links that could exploit this vulnerability, reducing the risk posed by the required user interaction. Perform regular security assessments and penetration testing focusing on URL parameter manipulation to detect similar vulnerabilities or misconfigurations in dotCMS and related web applications.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2022-35740: n/a in n/a
Description
dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks, including those used by Spring or Tomcat, allow the use of matrix parameters: these are URI parameters separated by semicolons. Through precise semicolon placement in a URI, it is possible to exploit this feature to avoid dotCMS's path-based XSS prevention (such as "require login" filters), and consequently access restricted resources. For example, an attacker could place a semicolon immediately before a / character that separates elements of a filesystem path. This could reveal file content that is ordinarily only visible to signed-in users. This issue can be chained with other exploit code to achieve XSS attacks against dotCMS.
AI-Powered Analysis
Technical Analysis
CVE-2022-35740 is a medium-severity vulnerability affecting dotCMS versions prior to 22.06, including certain long-term support (LTS) versions such as 5.3.8.12, 21.06.9, and 22.03.2. The vulnerability arises from dotCMS's improper handling of matrix parameters in URLs. Matrix parameters are URI parameters separated by semicolons, a feature supported by some Java application frameworks like Spring and Tomcat. By carefully inserting a semicolon immediately before a path separator ('/') in a URL, an attacker can bypass dotCMS's path-based access control mechanisms, such as filters that enforce login requirements. This bypass allows unauthorized remote attackers to access sensitive information that should be restricted to authenticated users. The vulnerability can also be chained with other exploits to perform cross-site scripting (XSS) attacks against dotCMS, as indicated by its association with CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 base score is 6.1 (medium), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), with low impact on confidentiality and integrity, and no impact on availability. No known exploits are currently reported in the wild. The vulnerability was publicly disclosed on November 10, 2022, and patches are available in the specified fixed versions. The root cause is the failure to properly validate and sanitize matrix parameters in URLs, leading to access control bypass and potential information disclosure and XSS risks.
Potential Impact
For European organizations using dotCMS, especially those running versions prior to 22.06 or the specified LTS versions, this vulnerability poses a risk of unauthorized access to sensitive content intended only for authenticated users. This could include confidential business data, internal documents, or user information hosted on dotCMS-powered websites or intranets. The ability to bypass login requirements undermines the integrity of access controls and could lead to data leakage. Additionally, the potential to chain this vulnerability with XSS attacks increases the risk of session hijacking, credential theft, or further compromise of web applications. Organizations in sectors such as government, finance, healthcare, and media, which often rely on content management systems like dotCMS, may face reputational damage, regulatory non-compliance (e.g., GDPR), and operational disruptions. However, the requirement for user interaction (e.g., clicking a crafted link) somewhat limits the exploitability, and no active exploitation has been reported to date. Still, the vulnerability’s network accessibility and scope change make it a significant concern for organizations with public-facing dotCMS instances.
Mitigation Recommendations
Upgrade dotCMS installations to version 22.06 or later, or apply the relevant patches for LTS versions (5.3.8.12, 21.06.9, 22.03.2) as soon as possible to eliminate the vulnerability. Implement strict input validation and sanitization on all URL parameters, specifically filtering or rejecting matrix parameters containing semicolons that could be used to manipulate path parsing. Configure web application firewalls (WAFs) to detect and block suspicious URL patterns containing semicolons before path separators, which are indicative of exploitation attempts targeting this vulnerability. Review and tighten access control policies within dotCMS to ensure that sensitive resources are not solely protected by path-based filters but also by robust authentication and authorization mechanisms. Conduct security awareness training for users to recognize and avoid clicking on suspicious links that could exploit this vulnerability, reducing the risk posed by the required user interaction. Perform regular security assessments and penetration testing focusing on URL parameter manipulation to detect similar vulnerabilities or misconfigurations in dotCMS and related web applications.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-07-13T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9839c4522896dcbecde0
Added to database: 5/21/2025, 9:09:13 AM
Last enriched: 6/25/2025, 6:15:12 PM
Last updated: 7/25/2025, 8:27:27 PM
Views: 7
Related Threats
CVE-2025-8833: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-7965: CWE-352 Cross-Site Request Forgery (CSRF) in CBX Restaurant Booking
MediumCVE-2025-8832: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8831: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8829: OS Command Injection in Linksys RE6250
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.