A number of user input fields within the administrative portal of the application were discovered to accept arbitrary user input that could be returned to the page. One example location where a script could be injected is the page title field of a new HTML page. The script below will cause a JavaScript alert box to pop up on the page that includes the contents of the site's cookies:

test</title></head><body><script>alert(document.cookie)</script><!--

Once a user is authenticated in the dotCMS admin console, they are treated as a trusted user. If this is not the case, we would recommend limiting the administrative access to an ip range.