Skip to main content

CVE-2022-35740: n/a in n/a

Medium
VulnerabilityCVE-2022-35740cvecve-2022-35740
Published: Thu Nov 10 2022 (11/10/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks, including those used by Spring or Tomcat, allow the use of matrix parameters: these are URI parameters separated by semicolons. Through precise semicolon placement in a URI, it is possible to exploit this feature to avoid dotCMS's path-based XSS prevention (such as "require login" filters), and consequently access restricted resources. For example, an attacker could place a semicolon immediately before a / character that separates elements of a filesystem path. This could reveal file content that is ordinarily only visible to signed-in users. This issue can be chained with other exploit code to achieve XSS attacks against dotCMS.

AI-Powered Analysis

AILast updated: 06/25/2025, 18:15:12 UTC

Technical Analysis

CVE-2022-35740 is a medium-severity vulnerability affecting dotCMS versions prior to 22.06, including certain long-term support (LTS) versions such as 5.3.8.12, 21.06.9, and 22.03.2. The vulnerability arises from dotCMS's improper handling of matrix parameters in URLs. Matrix parameters are URI parameters separated by semicolons, a feature supported by some Java application frameworks like Spring and Tomcat. By carefully inserting a semicolon immediately before a path separator ('/') in a URL, an attacker can bypass dotCMS's path-based access control mechanisms, such as filters that enforce login requirements. This bypass allows unauthorized remote attackers to access sensitive information that should be restricted to authenticated users. The vulnerability can also be chained with other exploits to perform cross-site scripting (XSS) attacks against dotCMS, as indicated by its association with CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 base score is 6.1 (medium), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), with low impact on confidentiality and integrity, and no impact on availability. No known exploits are currently reported in the wild. The vulnerability was publicly disclosed on November 10, 2022, and patches are available in the specified fixed versions. The root cause is the failure to properly validate and sanitize matrix parameters in URLs, leading to access control bypass and potential information disclosure and XSS risks.

Potential Impact

For European organizations using dotCMS, especially those running versions prior to 22.06 or the specified LTS versions, this vulnerability poses a risk of unauthorized access to sensitive content intended only for authenticated users. This could include confidential business data, internal documents, or user information hosted on dotCMS-powered websites or intranets. The ability to bypass login requirements undermines the integrity of access controls and could lead to data leakage. Additionally, the potential to chain this vulnerability with XSS attacks increases the risk of session hijacking, credential theft, or further compromise of web applications. Organizations in sectors such as government, finance, healthcare, and media, which often rely on content management systems like dotCMS, may face reputational damage, regulatory non-compliance (e.g., GDPR), and operational disruptions. However, the requirement for user interaction (e.g., clicking a crafted link) somewhat limits the exploitability, and no active exploitation has been reported to date. Still, the vulnerability’s network accessibility and scope change make it a significant concern for organizations with public-facing dotCMS instances.

Mitigation Recommendations

Upgrade dotCMS installations to version 22.06 or later, or apply the relevant patches for LTS versions (5.3.8.12, 21.06.9, 22.03.2) as soon as possible to eliminate the vulnerability. Implement strict input validation and sanitization on all URL parameters, specifically filtering or rejecting matrix parameters containing semicolons that could be used to manipulate path parsing. Configure web application firewalls (WAFs) to detect and block suspicious URL patterns containing semicolons before path separators, which are indicative of exploitation attempts targeting this vulnerability. Review and tighten access control policies within dotCMS to ensure that sensitive resources are not solely protected by path-based filters but also by robust authentication and authorization mechanisms. Conduct security awareness training for users to recognize and avoid clicking on suspicious links that could exploit this vulnerability, reducing the risk posed by the required user interaction. Perform regular security assessments and penetration testing focusing on URL parameter manipulation to detect similar vulnerabilities or misconfigurations in dotCMS and related web applications.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-07-13T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9839c4522896dcbecde0

Added to database: 5/21/2025, 9:09:13 AM

Last enriched: 6/25/2025, 6:15:12 PM

Last updated: 7/25/2025, 8:27:27 PM

Views: 7

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats