VYPR

Core

by Dotcms

Source repositories

CVEs (10)

  • CVE-2016-2355CriDec 19, 2016
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in the REST API in dotCMS before 3.3.2 allows remote attackers to execute arbitrary SQL commands via the stName parameter to api/content/save/1.

  • CVE-2026-8054CriMay 27, 2026
    risk 0.58cvss epss 0.02

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read,…

  • CVE-2022-45782HigFeb 1, 2023
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover.

  • CVE-2016-4803HigJun 30, 2016
    risk 0.49cvss 7.5epss 0.02

    CRLF injection vulnerability in the send email functionality in dotCMS before 3.3.2 allows remote attackers to inject arbitrary email headers via CRLF sequences in the subject.

  • CVE-2022-45783MedFeb 1, 2023
    risk 0.43cvss 6.5epss 0.08

    An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution.

  • CVE-2018-17422MedMar 7, 2019
    risk 0.40cvss 6.1epss 0.04

    dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.

  • CVE-2018-16980MedSep 12, 2018
    risk 0.40cvss 6.1epss 0.01

    dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters.

  • CVE-2016-10008HigFeb 19, 2018
    risk 0.40cvss 7.2epss 0.01

    SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter.

  • CVE-2016-10007HigFeb 19, 2018
    risk 0.40cvss 7.2epss 0.01

    SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter.

  • CVE-2018-19554MedNov 26, 2018
    risk 0.35cvss 5.4epss 0.01

    An issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp.