Issues » Insufficient authentication in the CMSMaintenanceAjax class

Issue: SI-37
Date: Jul 27, 2016, 9:15:00 AM
Severity: Critical
Requires Admin Access: No
Fix Version: 3.3.2, 3.5.1
Credit: dotCMS Internal Security Team

Under certain conditions, it may be possible to invoke the deleteContentletsFromIdList method of the CMSMaintenance class without proper permissions.


Restrict access to the REST API via firewall or proxy.