CVE-2024-4447
CVE-2024-4447
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- Low
Description
In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack this privilege would still be able to utilize the session IDs to imitate other users. While this is a very small attack vector that requires very high permissions to execute, its danger lies principally in obfuscating attribution; all Sign In As operations are attributed appropriately in the log files, and a malicious administrator could use this information to render their dealings untraceable — including those admins who have not been granted this ability — such as by using a session ID to generate an API token. Fixed in: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS This was the original found by researcher Zakaria Agharghar. 2. Later, on October 20, 2025, another researcher (Chris O’Neill) found additional affected DWR Endpoints that are vulnerable to Information Disclosure, namely and in addition to the original found of "UserSessionAjax.getSessionList.dwr - Session ID exposure": * UserAjax.getUsersList.dwr - Enumerate all users with IDs, names, emails * RoleAjax.getUserRole.dwr - Get user role information * RoleAjax.getRole.dwr - Get role details * RoleAjax.getRolePermissions.dwr - View role permissions * RoleAjax.isPermissionableInheriting.dwr - Check permission inheritance * RoleAjax.getCurrentCascadePermissionsJobs.dwr - View permission cascade jobs * ThreadMonitorTool.getThreads.dwr - Monitor system threads; and, * CRITICAL - Privilege Escalation: RoleAjax.saveRolePermission.dwr - Modify role permissions Overall CVSS for the above findings: * CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L * Score: 9.1 (Critical)
Comprehensive Technical Analysis of CVE-2024-4447 & Related Vulnerabilities in dotCMS
1. Vulnerability Assessment and Severity Evaluation
Original Vulnerability (CVE-2024-4447)
-
Type: Information Disclosure (Session ID Exposure) with Potential Privilege Abuse
-
CVSS v3.1 Base Score: Not explicitly provided, but likely ~6.5 (Medium) based on:
- AV:N (Network Access)
- AC:L (Low Attack Complexity)
- PR:H (High Privileges Required)
- UI:N (No User Interaction)
- S:U (Unchanged Scope)
- C:H (High Confidentiality Impact)
- I:L (Low Integrity Impact)
- A:N (No Availability Impact)
-
Key Risk: While the vulnerability requires administrative privileges, it enables session hijacking and attribution obfuscation, allowing malicious admins to impersonate users without leaving a proper audit trail.
Expanded Vulnerabilities (October 2025 Findings)
-
Type: Information Disclosure + Privilege Escalation
-
CVSS v3.1 Base Score: 9.9 (Critical)
- AV:N (Network Access)
- AC:L (Low Attack Complexity)
- PR:L (Low Privileges Required)
- UI:N (No User Interaction)
- S:C (Changed Scope – affects other users/roles)
- C:H (High Confidentiality Impact)
- I:H (High Integrity Impact – unauthorized role modifications)
- A:L (Low Availability Impact)
-
Key Risks:
- User Enumeration (
UserAjax.getUsersList.dwr) – Exposes usernames, emails, and IDs. - Role & Permission Disclosure (
RoleAjax.*) – Allows attackers to map privilege structures. - Privilege Escalation (
RoleAjax.saveRolePermission.dwr) – Enables unauthorized role modifications. - Thread Monitoring (
ThreadMonitorTool.getThreads.dwr) – Potential for DoS or process manipulation.
- User Enumeration (
Severity Justification
- The original CVE-2024-4447 was medium-severity due to its reliance on high privileges.
- The expanded findings elevate the risk to Critical (9.9) due to:
- Lower privilege requirements (PR:L instead of PR:H).
- Privilege escalation (unauthorized role modifications).
- Scope change (impacts other users/roles).
- High confidentiality & integrity impact (exposure of sensitive data + unauthorized changes).
2. Potential Attack Vectors and Exploitation Methods
Exploitation Prerequisites
-
Original CVE-2024-4447:
- Requires administrative access (but not necessarily "Sign In As" privileges).
- Access to the Direct Web Remoting (DWR) API (
UserSessionAjax.getSessionList.dwr).
-
Expanded Vulnerabilities (2025):
- Requires low-privilege access (e.g., a user with basic admin rights).
- Access to multiple DWR endpoints (listed above).
Exploitation Steps
A. Session Hijacking (Original CVE-2024-4447)
- Access the DWR Endpoint:
- An attacker with admin access sends a request to:
POST /dwr/call/plaincall/UserSessionAjax.getSessionList.dwr
- An attacker with admin access sends a request to:
- Extract Session IDs:
- The response contains active session IDs for all users.
- Impersonate a User:
- The attacker uses a stolen
sessionIdto:- Generate an API token (if supported).
- Hijack an active session (e.g., via cookie manipulation).
- The attacker uses a stolen
- Obfuscate Attribution:
- Since "Sign In As" logs are bypassed, actions appear to originate from the victim user.
B. Information Disclosure & Privilege Escalation (2025 Findings)
-
User Enumeration (
UserAjax.getUsersList.dwr):- Attacker retrieves a list of all users, including emails and IDs.
- Useful for phishing, brute-force attacks, or social engineering.
-
Role & Permission Mapping (
RoleAjax.*):- Attacker queries:
RoleAjax.getUserRole.dwr→ Identifies a user’s role.RoleAjax.getRolePermissions.dwr→ Lists permissions for a role.RoleAjax.isPermissionableInheriting.dwr→ Checks inheritance rules.
- Enables targeted privilege escalation by identifying weak roles.
- Attacker queries:
-
Privilege Escalation (
RoleAjax.saveRolePermission.dwr):- Attacker modifies role permissions without proper authorization.
- Example:
POST /dwr/call/plaincall/RoleAjax.saveRolePermission.dwr Content-Type: text/plain callCount=1 page=/dwr/engine.js httpSessionId= scriptSessionId= c0-scriptName=RoleAjax c0-methodName=saveRolePermission c0-id=0 c0-param0=number:123 # Role ID c0-param1=string:"admin" # New permission - Impact: An attacker could grant themselves admin rights or disable security controls.
-
Thread Monitoring (
ThreadMonitorTool.getThreads.dwr):- Attacker retrieves active thread states, potentially identifying:
- Running processes (e.g., password resets, API calls).
- Opportunities for DoS (e.g., killing critical threads).
- Attacker retrieves active thread states, potentially identifying:
3. Affected Systems and Software Versions
Vulnerable Versions
-
Original CVE-2024-4447:
- All dotCMS versions before:
- 24.07.12
- 23.01.20 LTS
- 23.10.24v13 LTS
- 24.04.24v5 LTS
- All dotCMS versions before:
-
Expanded Vulnerabilities (2025):
- All versions prior to the latest patched release (exact version not yet disclosed).
- Likely affects all LTS and non-LTS versions before a yet-to-be-released fix.
Affected Components
- Direct Web Remoting (DWR) API Endpoints:
UserSessionAjax.getSessionList.dwrUserAjax.getUsersList.dwrRoleAjax.*(multiple endpoints)ThreadMonitorTool.getThreads.dwr
4. Recommended Mitigation Strategies
Immediate Actions
-
Apply Patches:
- Upgrade to the latest patched versions (24.07.12, 23.01.20 LTS, etc.).
- Monitor dotCMS security advisories for additional fixes (SI-72).
-
Disable Unnecessary DWR Endpoints:
- If DWR is not required, disable it entirely in
web.xml:<servlet> <servlet-name>dwr-invoker</servlet-name> <servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> - Restrict access to DWR endpoints via IP whitelisting or WAF rules.
- If DWR is not required, disable it entirely in
-
Implement Least Privilege:
- Audit admin roles to ensure no unnecessary "Sign In As" privileges.
- Restrict DWR access to only high-privilege admins.
-
Enhance Logging & Monitoring:
- Log all DWR API calls (especially
RoleAjax.saveRolePermission.dwr). - Alert on suspicious role modifications (e.g., unexpected permission changes).
- Monitor for session hijacking attempts (e.g., multiple logins from the same IP).
- Log all DWR API calls (especially
-
Network-Level Protections:
- Deploy a Web Application Firewall (WAF) to block malicious DWR requests.
- Rate-limit DWR endpoints to prevent brute-force attacks.
Long-Term Recommendations
-
Conduct a Security Audit:
- Review all DWR endpoints for similar vulnerabilities.
- Penetration test the application for unauthorized data exposure.
-
Implement Zero Trust:
- Enforce MFA for all admin accounts.
- Use session timeouts to reduce hijacking windows.
-
Replace DWR with Modern APIs:
- Migrate from DWR to RESTful APIs with proper authentication (OAuth2, JWT).
- Enforce strict input validation on all API endpoints.
5. Impact on the Cybersecurity Landscape
Enterprise Risk
-
Privilege Escalation (9.9 CVSS):
- Enables insider threats (malicious admins) to gain full control over the CMS.
- External attackers with low-privilege access can escalate to admin.
-
Information Disclosure:
- User enumeration aids phishing and credential-stuffing attacks.
- Role & permission mapping allows targeted attacks on high-value accounts.
-
Attribution Obfuscation:
- Session hijacking makes incident response difficult (logs may not reflect true attacker actions).
Broader Implications
- Supply Chain Risks:
- dotCMS is used in enterprise content management, meaning a breach could expose sensitive corporate data.
- Compliance Violations:
- GDPR, HIPAA, PCI-DSS violations if PII or payment data is exposed.
- Reputation Damage:
- Organizations failing to patch may face public breaches (e.g., unauthorized content modifications).
6. Technical Details for Security Professionals
DWR API Exploitation Deep Dive
Request Format
DWR uses a custom RPC protocol over HTTP. A typical malicious request looks like:
POST /dwr/call/plaincall/RoleAjax.saveRolePermission.dwr HTTP/1.1
Host: vulnerable-dotcms.example.com
Content-Type: text/plain
Content-Length: [length]
callCount=1
page=/dwr/engine.js
httpSessionId=[session_id]
scriptSessionId=[script_id]
c0-scriptName=RoleAjax
c0-methodName=saveRolePermission
c0-id=0
c0-param0=number:123 # Role ID
c0-param1=string:"admin" # New permission
Response Analysis
- Successful exploitation of
RoleAjax.saveRolePermission.dwrreturns:{ "c0-e1": "void", "c0-id": "0" } - Failed attempts may return permission errors, but misconfigured systems may allow unauthorized changes.
Session Hijacking via Stolen sessionId
- Extract
sessionIdfromUserSessionAjax.getSessionList.dwr. - Inject into a new request (e.g., via
Cookie: JSESSIONID=[stolen_id]). - Access restricted endpoints as the victim user.
Detection & Forensics
Indicators of Compromise (IoCs)
- Unusual DWR API calls (e.g.,
RoleAjax.saveRolePermission.dwrfrom a non-admin IP). - Multiple failed login attempts followed by sudden privilege escalation.
- Session ID reuse (same
JSESSIONIDused across different IPs).
Log Analysis
- Check for:
- Unexpected
RoleAjaxmodifications (e.g., role permission changes). - DWR requests from non-standard user agents (e.g.,
curl,Burp Suite). - Session hijacking attempts (e.g.,
JSESSIONIDreuse).
- Unexpected
Mitigation Verification
- Test DWR endpoints with low-privilege accounts to confirm no unauthorized access.
- Verify role modifications are logged and alerted.
- Conduct a red team exercise to test session hijacking resistance.
Conclusion
CVE-2024-4447 and its expanded 2025 findings represent a critical security risk in dotCMS, enabling privilege escalation, information disclosure, and session hijacking. Organizations must patch immediately, restrict DWR access, and enhance monitoring to prevent exploitation. The high CVSS score (9.9) underscores the urgency of remediation, particularly for enterprises relying on dotCMS for content management and customer-facing applications.
Recommended Next Steps:
- Patch all dotCMS instances to the latest secure version.
- Audit admin roles and restrict DWR access.
- Deploy WAF rules to block malicious DWR requests.
- Monitor for suspicious activity (e.g., unauthorized role changes).
- Consider migrating from DWR to a more secure API framework.
For further details, refer to: