dotCMS TempFileAPI allows a SSRF that can allow to access to internal systems accessible via url

• For example if dotCMS is connected to an unsecured elastisearch instance, this SSRF we can direct access the elastisearch REST API
• In a cloud environment, it can be possible to abuse this flaw to get a Remote Code Execution
• An user with a few permissions is required
• Exploitation required user setup is a little different, so I upload a video (private) showing how to configure your users and how to use a less privileged account to explore the SSRF

The exploitation can allow access to any web service that can be access via localhost can be target, this include Cloud services like AWS APIs

• If this CMS is running in a cloud environment, it can be possible to abuse this flaw to get a Remote Code Execution

1. Upgrade to unaffected versions
2. Create a Rule that block external access to the TempFileResource, /api/v1/temp/byUrl

https://huntr.dev/bounties/e903dacf-396c-4c9f-b7b3-3138182a3488/