Issues » XSS in Lucene Search Admin tool

Issue: SI-33
Date: Apr 11, 2016, 10:30:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: 3.3.2, 3.5
Credit: Piaox From Pingan Product Safety Group

The lucene search admin tool (Admin only) allows a user to construct and execute a query to run against dotCMS content. The admin tool does not sanitize the query and echo's it back to the user which allows for XSS javascript execution.


Prevent access to the lucene search admin tool except for authorized personnel.