Issues » Insufficient authentication in the CMSMaintenanceAjax class

Issue: SI-37
Date: Jul 27, 2016, 9:15:00 AM
Severity: Critical
Requires Admin Access: Yes
Fix Version: 3.3.2, 3.5.1
Credit: dotCMS Internal Security Team
Description:

Under certain conditions, it may be possible to invoke the deleteContentletsFromIdList method of the CMSMaintenance class without proper permissions.

Mitigation:

Restrict access to the REST API via firewall or proxy.