Issues » AJAX requests without a session ID or other form of authentication

Issue: SI-15
Date: Jun 18, 2013 2:00:00 PM
Severity: Critical
Requires Admin Access: No
Fix Version: 2.3.2
Credit: Internal Security Team
Description:

It is possible to create a user account (without privileges) using a properly formated remote AJAX call.

Workaround:
  • Upgrade to dotCMS v. 2.3.2+
  • Restrict access to the /dwr url pattern to trusted IP addresses.

Issues
  • https://github.com/dotCMS/dotCMS/issues/3031
Back to the top