Tag

#cms

3 posts tagged #cms.

Analysis · May 20, 2026 · analysis-desk

An uploaded filename is attacker input. dotCMS forgot, and got a webshell.

CVE-2022-26352 is a directory traversal in dotCMS's upload API: the filename in a multipart request wasn't sanitized, so '../' sequences let an attacker write a JSP webshell to a web-reachable directory. With anonymous content creation on, that's unauthenticated RCE.
Analysis · May 20, 2026 · analysis-desk

Drupalgeddon: when a data structure is allowed to name a function to call

Drupal's Form API lets a renderable array carry a callback, that's a feature. Drupalgeddon (CVE-2018-7602) let an attacker put their own callback in, and Drupal called it: exec, passthru, system. Powerful framework metaprogramming plus untrusted input equals RCE.
Analysis · May 20, 2026 · analysis-desk

Sitecore CVE-2021-42237: another .NET deserialization RCE in a CMS you forgot was internet-facing

CVE-2021-42237 is an insecure-deserialization RCE in Sitecore XP. It's the same .NET deserialization footgun that keeps showing up in enterprise web apps, on a CMS that often sits forgotten but internet-facing.