Login Sign Up

CVE-2020-19138

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to upload malicious files to DotCMS servers, leading to arbitrary code execution. Attackers can exploit this by uploading dangerous file types through the CMSFilter component. All DotCMS installations running version 5.2.3 or earlier are affected.

💻 Affected Systems

Products:
  • DotCMS
Versions: 5.2.3 and earlier
Operating Systems: All platforms running DotCMS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable; no special configuration required for exploitation.

📦 What is this software?

Dotcms by Dotcms

View all CVEs affecting Dotcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, data theft, and persistent backdoor installation.

🟠

Likely Case

Webshell deployment leading to data exfiltration, lateral movement, and service disruption.

🟢

If Mitigated

File upload attempts blocked at WAF or detected by file integrity monitoring.

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests without authentication.
🏢 Internal Only: HIGH - Exploitable from any network segment with access to the DotCMS interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP file upload capability; GitHub issues contain technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.4 and later

Vendor Advisory: https://github.com/dotCMS/core/issues/17796

Restart Required: Yes

Instructions:

1. Backup your DotCMS installation and database. 2. Download DotCMS 5.2.4 or later from official sources. 3. Replace the vulnerable CMSFilter.java component. 4. Restart the DotCMS service. 5. Verify the fix by checking the version.

🔧 Temporary Workarounds

WAF File Upload Filtering

all

Configure web application firewall to block file uploads to vulnerable endpoints.

WAF-specific configuration required

File Upload Restriction

all

Implement server-side file type validation and restrict upload directories.

Configure server to reject uploads to /src/main/java/com/dotmarketing/filters/

🧯 If You Can't Patch

  • Isolate DotCMS servers from internet and restrict internal access
  • Implement strict file integrity monitoring on upload directories

🔍 How to Verify

Check if Vulnerable:

Check DotCMS version via admin interface or by examining the installation directory for version files.

Check Version:

Check /dotserver/tomcat-X.X.XX/webapps/ROOT/META-INF/MANIFEST.MF or admin panel

Verify Fix Applied:

Verify version is 5.2.4 or later and test file upload functionality with restricted file types.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to CMSFilter endpoints
  • Java class file uploads
  • POST requests with file uploads to admin paths

Network Indicators:

  • HTTP POST requests with file uploads to /src/main/java/com/dotmarketing/filters/
  • Unusual outbound connections from DotCMS server

SIEM Query:

source="dotcms" AND (url="*CMSFilter*" OR method="POST") AND (file_upload="true" OR content_type="application/java-archive")

📊 Metadata

CVE ID: CVE-2020-19138
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: September 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-19138, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)