CVE-2022-35740 is a medium-severity vulnerability affecting dotCMS versions prior to 22.06, including certain long-term support (LTS) versions such as 5.3.8.12, 21.06.9, and 22.03.2. The vulnerability arises from dotCMS's improper handling of matrix parameters in URLs. Matrix parameters are URI parameters separated by semicolons, a feature supported by some Java application frameworks like Spring and Tomcat. By carefully inserting a semicolon immediately before a path separator ('/') in a URL, an attacker can bypass dotCMS's path-based access control mechanisms, such as filters that enforce login requirements. This bypass allows unauthorized remote attackers to access sensitive information that should be restricted to authenticated users. The vulnerability can also be chained with other exploits to perform cross-site scripting (XSS) attacks against dotCMS, as indicated by its association with CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 base score is 6.1 (medium), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), with low impact on confidentiality and integrity, and no impact on availability. No known exploits are currently reported in the wild. The vulnerability was publicly disclosed on November 10, 2022, and patches are available in the specified fixed versions. The root cause is the failure to properly validate and sanitize matrix parameters in URLs, leading to access control bypass and potential information disclosure and XSS risks.

For European organizations using dotCMS, especially those running versions prior to 22.06 or the specified LTS versions, this vulnerability poses a risk of unauthorized access to sensitive content intended only for authenticated users. This could include confidential business data, internal documents, or user information hosted on dotCMS-powered websites or intranets. The ability to bypass login requirements undermines the integrity of access controls and could lead to data leakage. Additionally, the potential to chain this vulnerability with XSS attacks increases the risk of session hijacking, credential theft, or further compromise of web applications. Organizations in sectors such as government, finance, healthcare, and media, which often rely on content management systems like dotCMS, may face reputational damage, regulatory non-compliance (e.g., GDPR), and operational disruptions. However, the requirement for user interaction (e.g., clicking a crafted link) somewhat limits the exploitability, and no active exploitation has been reported to date. Still, the vulnerability’s network accessibility and scope change make it a significant concern for organizations with public-facing dotCMS instances.

Upgrade dotCMS installations to version 22.06 or later, or apply the relevant patches for LTS versions (5.3.8.12, 21.06.9, 22.03.2) as soon as possible to eliminate the vulnerability. Implement strict input validation and sanitization on all URL parameters, specifically filtering or rejecting matrix parameters containing semicolons that could be used to manipulate path parsing. Configure web application firewalls (WAFs) to detect and block suspicious URL patterns containing semicolons before path separators, which are indicative of exploitation attempts targeting this vulnerability. Review and tighten access control policies within dotCMS to ensure that sensitive resources are not solely protected by path-based filters but also by robust authentication and authorization mechanisms. Conduct security awareness training for users to recognize and avoid clicking on suspicious links that could exploit this vulnerability, reducing the risk posed by the required user interaction. Perform regular security assessments and penetration testing focusing on URL parameter manipulation to detect similar vulnerabilities or misconfigurations in dotCMS and related web applications.