CVE-2024-4447 is an incorrect authorization vulnerability (CWE-863) in the dotCMS core content management system, specifically affecting version 4.2.1. The vulnerability arises from improper access controls on the System → Maintenance tool’s Logged Users tab, which exposes sessionId data for all users through the Direct Web Remoting (DWR) API endpoint UserSessionAjax.getSessionList.dwr. While session information should only be accessible to administrators with explicit "Sign In As" privileges, this flaw allows any administrator with lesser privileges to retrieve session IDs and impersonate other users by hijacking their sessions. This impersonation bypasses normal logging and attribution mechanisms, enabling malicious admins to perform unauthorized actions without traceability. Further research uncovered additional vulnerable DWR endpoints that leak sensitive information such as user lists, roles, permissions, and system thread information. Critically, the RoleAjax.saveRolePermission.dwr endpoint allows privilege escalation by modifying role permissions, potentially granting attackers full administrative control. The vulnerability is remotely exploitable over the network without user interaction but requires some level of administrative privileges. The CVSS 3.1 base score is 9.9 (critical), reflecting the high confidentiality, integrity, and limited availability impacts, combined with low attack complexity and no user interaction. The vendor has released patches in dotCMS versions 24.07.12, 23.01.20 LTS, 23.10.24v13 LTS, and 24.04.24v5 LTS to remediate these issues. No known exploits in the wild have been reported yet.

For European organizations using dotCMS core, this vulnerability poses a severe risk to the confidentiality and integrity of their content management systems. Attackers with limited administrative privileges can escalate their access, impersonate other users, and modify role permissions, potentially gaining full control over the CMS environment. This can lead to unauthorized content changes, data leakage of sensitive user and role information, and disruption of services. The ability to obfuscate attribution complicates incident response and forensic investigations, increasing the risk of prolonged undetected compromise. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face heightened compliance risks and potential legal consequences if exploited. The vulnerability's network accessibility and critical severity make it a prime target for insider threats and attackers who have gained partial access, emphasizing the need for immediate remediation to protect European digital assets and maintain trust.

European organizations should promptly upgrade dotCMS core to the fixed versions: 24.07.12, 23.01.20 LTS, 23.10.24v13 LTS, or 24.04.24v5 LTS. Until patching is complete, restrict administrative access to the CMS to only fully trusted personnel and enforce strict role-based access controls to minimize the number of users with elevated privileges. Monitor and audit all administrative actions closely, focusing on unusual session activity or role permission changes. Disable or restrict access to the vulnerable DWR API endpoints if possible, using web application firewalls or API gateways to block unauthorized calls. Implement multi-factor authentication for all admin accounts to reduce the risk of credential compromise. Regularly review and update user roles and permissions to ensure least privilege principles are enforced. Finally, maintain comprehensive logging and ensure logs are protected from tampering to aid in detection and forensic analysis.