An authenticated user, with permissions to create and execute Velocity files, can use the Velocity context to execute arbitrary Java objects within the dotCMS code base. When combined with the creation of script files on the server file system, this could allow an authenticated user to perform remote code execution using the JavaScriptingEngineManager.

Customers who have not upgraded to dotCMS 5.3.0 may mitigate this issue by ensuring that:

• Only authorized users have access to create and execute Velocity files, and
• Users with permissions to create Velocity files do not have access to create files on the server file system.

https://github.com/dotCMS/core/issues/18318

GHSL-2020-047