The security of the dotCMS platform is of the utmost importance to dotCMS, to our user community and to our customers. dotCMS strives to ensure the security and integrity of all dotCMS installations and has processes in place to insure all security issues are promptly addressed and customer exposure is minimized.
Overview
It is important for developers and administrators to realize that dotCMS is a web development and content platform and not a shrink-wrapped solution. As a platform, is our job to provide modern tooling that allows responsible developers and administrators to deliver the most secure content managed site or content application available. dotCMS is primarily concerned, from a security standpoint, with security issues that arise from the dotCMS tooling itself, the admin console and related web services, rather than any specific web or content implementation built by third parties within the platform itself.
The dotCMS platform provides developers the ability to implement any content, Javascript, CSS framework, AJAX call or web app that can be placed on a web server, based on the developers' privileges within dotCMS. This is by design; there is always a trade-off between flexibility and security. dotCMS has chosen to provide trusted, authenticated site builders the flexibility to implement a variety of modern web experiences and web applications instead of limiting the scope of what that site builder can do within the platform. This philosophy places much of the responsibility of any implementation's security firmly in the hands of the site administrators and developers who best know how to meet their specific business requirements.
Fixes, Patches and Updates
The most secure dotCMS installation will always be the latest version of the dotCMS platform. All security updates implemented in the latest current releases are likewise applied to the latest long-term supported (LTS) releases, making the latest LTS our most secure package overall.
Each release is a culmination of many patches, bug fixes and improvements. While we will (for Enterprise Customers) provide security patches for older versions, we will always advise you to test against and run the latest codebase. Any security updates will be released to the community via a new version release and all security fixes will be placed in the source code and will be available to the community for analysis and generating security patches. dotCMS may choose to back-port security fixes to older versions based on Enterprise customer requests; such back-ported fixes will be made available to the community at large.
Vulnerability Disclosure
dotCMS reports all reported vulnerabilities in a responsible and industry-standard manner.
Reporting Issues
Please report any potential security issues by sending an email to security-at-dotcms.com.
dotCMS maintains an up-to-date list of all known security issues. When reporting an issue, please specify what version of dotCMS is affected, how we can reproduce the issue and what browser or tool should be used to examine the issue. dotCMS will disclose all issues in a responsible manner — and we ask the same responsibility when reporting an issue. This means that before the technical details of an issue is made public, dotCMS should have a chance to analyze, reproduce and/or fix the reported security issue.
Triage & Priority
Once an issue has been reported, dotCMS will inspect the issue and attempt to reproduce the issue with the latest dotCMS version with the latest default data and starter implementations. Because dotCMS is a platform for content driven web development and web applications, many reported issues are actually issues with specific customer implementations running on top of dotCMS and not with dotCMS itself. If this is the case, the dotCMS security team will notify you that the reported issue is with a particular installation and not the core dotCMS codebase.
If the issue is deemed of general concern, dotCMS will:
- Inform you
- Create a new known issue on our site, and
- Create a fix issue in GitHub in GitHub, our bug tracker
We will then perform analysis on the issue and assign that issue a priority level/target fix version. There are four possible priorities a security issue can have, guided by the Common Vulnerability Scoring System (CVSS):
Low — Low priority vulnerabilities have a CVSS score of 0.1-3.9. These may include denial of service or XSS (Cross site Scripting) type issues, but generally do not compromise the underlying data or system. An issue will usually be marked as “Low” if it requires user to have local system access before the issue can be reproduced. Additionally, low priority issues offer no chance for privilege escalation, arbitrary code execution or data loss. Generally these issues can be easily worked around through the use of external tools, firewalls, etc.
Medium A medium vulnerability (CVSS 4.0-6.9) typically also require local network or user privileges to be exploited, though not necessarily. Its impact on business operations is less negligible.
High — High-vulnerability issues (CVSS 7.0-8.9) constitute a security threat to the underlying data or system running dotCMS. This can include security compromises or privilege escalation, though the flaw may be difficult to exploit.
Critical — A critical issue (CVSS 9.0-10.0) can be used to compromise dotCMS or the underlying server/system responsible for running the dotCMS. A critical issue may potentially be executed by any user and does not require any specific user authentication (“non-trusted user”).