CVE-2020-18875: 
dotCMS vulnerability analysis and mitigation

Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files. The vulnerability was discovered in January 2019 and assigned CVE-2020-18875. The issue affects DotCMS installations prior to version 5.1.0 (DotCMS Advisory, NVD).

The vulnerability has a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The attack requires network access, low attack complexity, and low privileges, with no user interaction needed. The vulnerability allows attackers to inject client configurations through velocity (vtl) files, potentially leading to privilege escalation (NVD).

The vulnerability can result in high impacts on confidentiality, integrity, and availability of the affected system. Successful exploitation allows attackers to elevate their dotCMS permissions for the duration of their browsing session (DotCMS Advisory).

The vulnerability was fixed in DotCMS version 5.1.0. Users should upgrade to this version or later to mitigate the risk. No other workarounds were provided at the time of disclosure (DotCMS Advisory).