CVE-2021-35358: 
dotCMS vulnerability analysis and mitigation

A stored cross site scripting (XSS) vulnerability was discovered in dotCMS version 21.05.1, specifically in the dotAdmin/#/c/c_Images component. The vulnerability was disclosed on June 15, 2021 and assigned identifier CVE-2021-35358. The issue affects authenticated users who have access to the dotAdmin interface (NVD, CVE).

The vulnerability allows authenticated attackers to execute arbitrary web scripts or HTML by injecting malicious payloads into the 'Title' and 'Filename' parameters when adding new content in the Images section. The CVSS v3.1 base score is 4.8 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow attackers to transmit private data like cookies or session information, redirect victims to malicious web content, or perform other unauthorized operations under the guise of the vulnerable site. The attack requires user interaction as victims need to access the affected page containing the malicious payload (GitHub Issue).

The vulnerability was reported in dotCMS version 21.05.1. Users should upgrade to a patched version of the software once available. No specific workarounds were published (NVD).