Issue: |
|
---|---|
Date: |
|
Severity: | Medium |
Requires Admin Access: | Yes |
Fix Version: | Plugin |
Credit: | SafeDog Penetration and Defense Lab - darong tong |
Description: |
Administrative backend access is vulnerable to CSRF attack. For example, this means that if a user is already logged into the backend of dotCMS and clicks on malicious content (that targets dotCMS) in another tab or window, this malicious content can interact with dotCMS using the session that is already in the browsers session. |
Mitigation: |
Use OSGi plugin to restrict access to vulnerable URLs: https://github.com/dotCMS/com.dotcms.csrffilter |
References |
CERT issue CVE-2017-3187 |