VYPR

Dotcms

by Dotcms

Source repositories

CVEs (57)

  • CVE-2022-45783Feb 1, 2023
    risk 0.00cvss epss 0.08

    An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution.

  • CVE-2022-37033Feb 1, 2023
    risk 0.00cvss epss 0.01

    In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns.…

  • CVE-2022-37034Feb 1, 2023
    risk 0.00cvss epss 0.01

    In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests.

  • CVE-2022-35740Nov 10, 2022
    risk 0.00cvss epss 0.01

    dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks,…

  • CVE-2022-37431Aug 5, 2022
    risk 0.00cvss epss 0.01

    A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has…

  • CVE-2021-35358Jul 9, 2021
    risk 0.00cvss epss 0.01

    A stored cross site scripting (XSS) vulnerability in dotAdmin/#/c/c_Images of dotCMS 21.05.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' and 'Filename' parameters.

  • CVE-2021-35361Jul 9, 2021
    risk 0.00cvss epss 0.01

    A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/links of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload.

  • CVE-2021-35360Jul 9, 2021
    risk 0.00cvss epss 0.01

    A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/containers of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload.

  • CVE-2020-17542Apr 23, 2021
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) in dotCMS v5.1.5 allows remote attackers to execute arbitrary code by injecting a malicious payload into the "Task Detail" comment window of the "/dotAdmin/#/c/workflow" component.

  • CVE-2020-27848Dec 30, 2020
    risk 0.00cvss epss 0.01

    dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter. The PaginatorOrdered classes that are used to paginate results of a REST endpoints do not sanitize the orderBy parameter and in some cases it is vulnerable to SQL injection…

  • CVE-2020-35274Dec 21, 2020
    risk 0.00cvss epss 0.01

    DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS.

  • CVE-2019-12872Jun 18, 2019
    risk 0.00cvss epss 0.01

    dotCMS before 5.1.6 is vulnerable to a SQL injection that can be exploited by an attacker of the role Publisher via view_unpushed_bundles.jsp.

  • CVE-2019-11846May 14, 2019
    risk 0.00cvss epss 0.01

    /servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XSS and HTML Injection.

  • CVE-2018-19554Nov 26, 2018
    risk 0.00cvss epss 0.01

    An issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp.

  • CVE-2013-3484Apr 2, 2014
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in dotCMS before 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) _loginUserName parameter to application/login/login.html, (2) my_account_login parameter to c/portal_public/login, or (3) email…

  • CVE-2012-1826Jun 8, 2012
    risk 0.00cvss epss 0.02

    dotCMS 1.9 before 1.9.5.1 allows remote authenticated users to execute arbitrary Java code via a crafted (1) XSLT or (2) Velocity template.

  • CVE-2008-2397May 21, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in search-results.dot in dotCMS 1.x allows remote attackers to inject arbitrary web script or HTML via the search_query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

Page 3 of 3