dotCMS Direct Web Remoting API UserSessionAjax.getSessionList.dwr authorization

Summaryinfo

A vulnerability labeled as problematic has been found in dotCMS. Impacted is the function UserSessionAjax.getSessionList.dwr of the component Direct Web Remoting API. Executing a manipulation can lead to authorization. The identification of this vulnerability is CVE-2024-4447. The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in dotCMS. It has been declared as problematic. This vulnerability affects the function UserSessionAjax.getSessionList.dwr of the component Direct Web Remoting API. The manipulation with an unknown input leads to a authorization vulnerability. The CWE definition for the vulnerability is CWE-863. The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. As an impact it is known to affect confidentiality. CVE summarizes:

In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack this privilege would still be able to utilize the session IDs to imitate other users. While this is a very small attack vector that requires very high permissions to execute, its danger lies principally in obfuscating attribution; all Sign In As operations are attributed appropriately in the log files, and a malicious administrator could use this information to render their dealings untraceable — including those admins who have not been granted this ability — such as by using a session ID to generate an API token. Fixed in: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS This was the original found by researcher Zakaria Agharghar. 2. Later, on October 20, 2025, another researcher (Chris O’Neill) found additional affected DWR Endpoints that are vulnerable to Information Disclosure, namely and in addition to the original found of "UserSessionAjax.getSessionList.dwr - Session ID exposure": * UserAjax.getUsersList.dwr - Enumerate all users with IDs, names, emails * RoleAjax.getUserRole.dwr - Get user role information * RoleAjax.getRole.dwr - Get role details * RoleAjax.getRolePermissions.dwr - View role permissions * RoleAjax.isPermissionableInheriting.dwr - Check permission inheritance * RoleAjax.getCurrentCascadePermissionsJobs.dwr - View permission cascade jobs * ThreadMonitorTool.getThreads.dwr - Monitor system threads; and, * CRITICAL - Privilege Escalation: RoleAjax.saveRolePermission.dwr - Modify role permissions Overall CVSS for the above findings: * CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L * Score: 9.1 (Critical)

The advisory is shared for download at auth.dotcms.com. This vulnerability was named CVE-2024-4447 since 05/02/2024. The exploitation appears to be easy. The attack can be initiated remotely. Additional levels of successful authentication are needed for exploitation. There are known technical details, but no exploit is available.

Upgrading to version 23.01.20 LTS, 23.10.24v13 LTS, 24.07.12 or 24.04.24v5 LTS eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2024-44066). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Content Management System

Name

• dotCMS

License

• open-source

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion