Issues » Insufficient authentication in the CMSMaintenanceAjax class

Issue: SI-37
Date: Jul 27, 2016 1:15:00 PM
Severity: Critical
Requires Admin Access: No
Fix Version: 3.3.2, 3.5.1
Credit: dotCMS Internal Security Team
Description:

Under certain conditions, it may be possible to invoke the deleteContentletsFromIdList method of the CMSMaintenance class without proper permissions.

Workaround:

Restrict access to the REST API via firewall or proxy.

Back to the top