{"vuid":"VU#898083","idnumber":"898083","name":"dotCMS template permissions allow arbitrary code execution","keywords":["dotcms","cms","permissions","java","xslt","velocity"],"overview":"The dotCMS content management system version 1.9 and possibly earlier versions, contains a vulnerability that allows users with the appropriate permissions to create a malicious template with arbitrary code.","clean_desc":"An authenticated dotCMS user with the permissions required to author and upload templates may create a malicious XSLT or Velocity template that can execute arbitrary java code. The arbitrary java code will run with the permissions of the web service account.","impact":"An authenticated attacker with the permissions to create a template may upload a malicious XSLT or Velocity template that can run arbitrary java code. In some cases, the attacker may be able to exploit this vulnerability to obtain a shell on the web server.","resolution":"Apply an Update\ndotCMS version 1.9.5.1 or 2.0.1 and later address these vulnerabilities. If you are unable to upgrade please consider the following workarounds.","workarounds":"Workarounds Unmap the XSLT Tool in the toolbox.xml file or apply this XSLT Tool which is backported from 2.0 to 1.9 Add to system.properties the property: runtime.introspector.uberspect = org.apache.velocity.util.introspection.SecureUberspector","sysaffected":"","thanks":"Thanks to Ben Murphy for reporting this vulnerability.","author":"This document was written by Jared Allar.","public":["http://dotcms.com/","https://github.com/dotCMS/dotCMS/issues/261","https://github.com/dotCMS/dotCMS/issues/281","https://velocity.apache.org/engine/devel/apidocs/org/apache/velocity/util/introspection/SecureUberspector.html","https://gist.github.com/2627440"],"cveids":["CVE-2012-1826"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2012-04-13T15:57:27Z","publicdate":"2012-05-25T00:00:00Z","datefirstpublished":"2012-05-25T12:03:13Z","dateupdated":"2012-05-25T12:26:23Z","revision":26,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"UC","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"ND","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"8.5","cvss_basevector":"AV:N/AC:M/Au:S/C:C/I:C/A:C","cvss_temporalscore":"6.9","cvss_environmentalscore":"6.9","cvss_environmentalvector":"CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}