CVE-2021-35360: 
dotCMS vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in dotCMS version 21.05.1, specifically affecting the dotAdmin/#/c/containers path. The vulnerability was disclosed on June 15, 2021, and was assigned identifier CVE-2021-35360. This security flaw allows attackers to execute arbitrary commands or HTML through a crafted payload in the application's container management interface (GitHub Issue).

The vulnerability exists in the search functionality of the dotAdmin interface, specifically in the '/c/containers' and '/c/links' paths. When a malicious payload is inserted into the 'SEARCH' parameter, it gets reflected back to the user without proper sanitization, enabling cross-site scripting attacks. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The XSS vulnerability can be exploited to transmit private data, such as cookies or session information, to the attacker. Additionally, it could be used to redirect victims to malicious web content or perform unauthorized operations under the guise of the vulnerable site. The attack requires user interaction and high privileges to exploit (GitHub Issue).