Dotcms

Source repositories

CVEs (25)

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2017-5344	Cri	0.67	9.8	0.08	Feb 17, 2017	An issue was discovered in dotCMS through 3.6.1. The findChildrenByFilter() function which is called by the web accessible path /categoriesServlet performs string interpolation and direct SQL query execution. SQL quote escaping and a keyword blacklist were implemented in a new class, SQLUtil (main/java/com/dotmarketing/common/util/SQLUtil.java), as part of the remediation of CVE-2016-8902; however, these can be overcome in the case of the q and inode parameters to the /categoriesServlet path. Overcoming these controls permits a number of blind boolean SQL injection vectors in either parameter. The /categoriesServlet web path can be accessed remotely and without authentication in a default dotCMS deployment.
CVE-2025-8311	Cri	0.64	—	0.02	Sep 4, 2025	dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys. The vulnerability was triggered via the sites parameter, which was directly concatenated into a SQL query without proper sanitization. Exploitation allowed an authenticated attacker with low privileges to extract data from database, perform privilege escalation, or trigger denial-of-service conditions. The vulnerability was verified using tools such as SQLMap and confirmed to allow full database exfiltration and potential denial-of-service conditions via crafted payloads. The vulnerability is fixed in the following versions of dotCMS stack: 25.08.14 / 25.07.10-1v2 LTS / 24.12.27v10 LTS / 24.04.24v21 LTS
CVE-2016-8902	Cri	0.64	9.8	0.01	Nov 14, 2016	SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter.
CVE-2016-8908	Hig	0.57	8.8	0.02	Nov 14, 2016	SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8907	Hig	0.57	8.8	0.02	Nov 14, 2016	SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8906	Hig	0.57	8.8	0.02	Nov 14, 2016	SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8905	Hig	0.57	8.8	0.02	Nov 14, 2016	SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter.
CVE-2016-8904	Hig	0.57	8.8	0.01	Nov 14, 2016	SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8903	Hig	0.57	8.8	0.01	Nov 14, 2016	SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8600	Hig	0.49	7.5	0.01	Oct 28, 2016	In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later.
CVE-2017-11466	Hig	0.47	7.2	0.03	Jul 20, 2017	Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxFileUploadServlet.class in dotCMS 4.1.1 allows remote authenticated administrators to upload .jsp files to arbitrary locations via directory traversal sequences in the fieldName parameter to servlets/ajax_file_upload. This results in arbitrary code execution by requesting the .jsp file at a /assets URI.
CVE-2016-4040	Hig	0.47	7.2	0.00	Apr 19, 2016	SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-3688	Med	0.42	6.5	0.00	Apr 19, 2016	SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr.
CVE-2017-6003	Med	0.40	6.1	0.00	Mar 27, 2017	dotCMS 3.7.0 has XSS reachable from ext/languages_manager/edit_language in portal/layout via the bottom two form fields.
CVE-2017-5877	Med	0.40	6.1	0.00	Feb 6, 2017	XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter.
CVE-2017-5876	Med	0.40	6.1	0.00	Feb 6, 2017	XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter.
CVE-2017-15219	Med	0.35	5.4	0.00	Oct 10, 2017	The dotCMS 4.1.1 application is vulnerable to Stored Cross-Site Scripting (XSS) affecting a vanity-urls Title field, a containers Description field, and a templates Description field.
CVE-2017-5875	Med	0.35	5.4	0.00	Feb 6, 2017	XSS was discovered in dotCMS 3.7.0, with an authenticated attack against the /myAccount addressID parameter.
CVE-2016-3971	Med	0.31	4.8	0.00	Apr 18, 2016	Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout.
CVE-2016-3972	Low	0.18	2.7	0.00	Apr 18, 2016	Directory traversal vulnerability in the dotTailLogServlet in dotCMS before 3.5.1 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the fileName parameter.

Page 1 of 2