AJAX requests without a session ID or other form of authentication

Issue:	SI-15
Date:	Jun 18, 2013, 10:00:00 AM
Severity:	Critical
Requires Admin Access:	No
Fix Version:	2.3.2
Credit:	Internal Security Team
Description:	It is possible to create a user account (without privileges) using a properly formated remote AJAX call.
Mitigation:	Upgrade to dotCMS v. 2.3.2+ Restrict access to the /dwr url pattern to trusted IP addresses.
References	https://github.com/dotCMS/dotCMS/issues/3031

Highly Rated and Recommended