|Requires Admin Access:||Yes|
|Fix Version:||21.05, 126.96.36.199|
An issue was discovered in dotCMS 3.0 through 188.8.131.52 and 20.10 through 21.04. When PUTting or POSTing content via /api/content in the XML format, the processed XML stream, at unmarshalling time, contains type information to recreate the formerly written objects. XStream therefore creates new instances based on this type information. An attacker can manipulate the processed input stream, and replace or inject objects that result in execution of arbitrary code, loaded from a remote server. dotCMS is vulnerable to these attacks because of the use of XStream to unmarshall the XML object.
It is possible to mitigate this attack in a number of ways.