{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-3042","assignerOrgId":"5b9d93f2-25c7-46b4-ab60-d201718c9dd8","state":"PUBLISHED","assignerShortName":"dotCMS","dateReserved":"2023-06-01T20:26:04.134Z","datePublished":"2023-10-17T22:52:05.453Z","dateUpdated":"2025-06-12T15:05:44.260Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"dotCMS core","vendor":"dotCMS","versions":[{"status":"affected","version":"5.3.8"},{"status":"affected","version":"21.06"},{"status":"affected","version":"22.03"},{"status":"affected","version":"23.01"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is <a target=\"_blank\" rel=\"nofollow\" href=\"https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp\">https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp</a>, which should return a 404 response but didn't. <br><br>The oversight in the default invalid URL character list can be viewed at the provided <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37\">GitHub link</a>.&nbsp;<br><br>To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.<br><br>Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. <br><br>Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.<br><br><table><tbody><tr><th>Fix Version:</th><td>23.06+, LTS 22.03.7+, LTS 23.01.4+</td></tr></tbody></table><br>"}],"value":"In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is  https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. \n\nThe oversight in the default invalid URL character list can be viewed at the provided  GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 . \n\nTo mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.\n\nSpecifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. \n\nAdditionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.\n\nFix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+"}],"impacts":[{"capecId":"CAPEC-247","descriptions":[{"lang":"en","value":"CAPEC-247 XSS Using Invalid Characters"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"5b9d93f2-25c7-46b4-ab60-d201718c9dd8","shortName":"dotCMS","dateUpdated":"2024-09-30T15:25:26.548Z"},"references":[{"url":"https://www.dotcms.com/security/SI-68"}],"source":{"discovery":"UNKNOWN"},"title":"CNA SHORTNAME: dotCMSORG UUID: 5b9d93f2-25c7-46b4-ab60-d201718c9dd8","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T06:41:04.130Z"},"title":"CVE Program Container","references":[{"url":"https://www.dotcms.com/security/SI-68","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-06-12T15:05:05.713927Z","id":"CVE-2023-3042","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-06-12T15:05:44.260Z"}}]}}