Vendor CVEs
Dotcms
All CVEs
60 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-5344 | Cri | 0.67 | 9.8 | 0.06 | Feb 17, 2017 | An issue was discovered in dotCMS through 3.6.1. The findChildrenByFilter() function which is called by the web accessible path /categoriesServlet performs string interpolation and direct SQL query execution. SQL quote escaping and a keyword blacklist were implemented in a new… | ||
| CVE-2025-8311 | Cri | 0.64 | — | 0.02 | Sep 4, 2025 | dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys. The vulnerability was triggered via the… | ||
| CVE-2024-4447 | Cri | 0.64 | 9.9 | 0.00 | Jul 26, 2024 | In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers,… | ||
| CVE-2016-2355 | Cri | 0.64 | 9.8 | 0.02 | Dec 19, 2016 | SQL injection vulnerability in the REST API in dotCMS before 3.3.2 allows remote attackers to execute arbitrary SQL commands via the stName parameter to api/content/save/1. | ||
| CVE-2016-8902 | Cri | 0.64 | 9.8 | 0.03 | Nov 14, 2016 | SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter. | ||
| CVE-2026-8054 | Cri | 0.58 | — | 0.02 | May 27, 2026 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read,… | ||
| CVE-2017-3187 | Hig | 0.57 | 8.8 | 0.01 | Jul 24, 2018 | The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery. The dotCMS administrator panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user,… | ||
| CVE-2016-8908 | Hig | 0.57 | 8.8 | 0.02 | Nov 14, 2016 | SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | ||
| CVE-2016-8907 | Hig | 0.57 | 8.8 | 0.02 | Nov 14, 2016 | SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | ||
| CVE-2016-8906 | Hig | 0.57 | 8.8 | 0.02 | Nov 14, 2016 | SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | ||
| CVE-2016-8905 | Hig | 0.57 | 8.8 | 0.02 | Nov 14, 2016 | SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter. | ||
| CVE-2016-8904 | Hig | 0.57 | 8.8 | 0.02 | Nov 14, 2016 | SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | ||
| CVE-2016-8903 | Hig | 0.57 | 8.8 | 0.02 | Nov 14, 2016 | SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | ||
| CVE-2017-3189 | Hig | 0.53 | 8.1 | 0.07 | Jul 24, 2018 | The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to arbitrary file upload. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, there are no checks on the types of files… | ||
| CVE-2016-8600 | Hig | 0.49 | 7.5 | 0.02 | Oct 28, 2016 | In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later. | ||
| CVE-2016-4803 | Hig | 0.49 | 7.5 | 0.02 | Jun 30, 2016 | CRLF injection vulnerability in the send email functionality in dotCMS before 3.3.2 allows remote attackers to inject arbitrary email headers via CRLF sequences in the subject. | ||
| CVE-2017-11466 | Hig | 0.47 | 7.2 | 0.08 | Jul 20, 2017 | Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxFileUploadServlet.class in dotCMS 4.1.1 allows remote authenticated administrators to upload .jsp files to arbitrary locations via directory traversal sequences in the fieldName parameter to… | ||
| CVE-2016-4040 | Hig | 0.47 | 7.2 | 0.01 | Apr 19, 2016 | SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter. | ||
| CVE-2017-3188 | Med | 0.42 | 6.5 | 0.03 | Jul 24, 2018 | The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to path traversal. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its contents are not properly… | ||
| CVE-2016-3688 | Med | 0.42 | 6.5 | 0.02 | Apr 19, 2016 | SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr. | ||
| CVE-2018-16980 | Med | 0.40 | 6.1 | 0.01 | Sep 12, 2018 | dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters. | ||
| CVE-2016-10008 | Hig | 0.40 | 7.2 | 0.01 | Feb 19, 2018 | SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter. | ||
| CVE-2016-10007 | Hig | 0.40 | 7.2 | 0.01 | Feb 19, 2018 | SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter. | ||
| CVE-2017-6003 | Med | 0.40 | 6.1 | 0.01 | Mar 27, 2017 | dotCMS 3.7.0 has XSS reachable from ext/languages_manager/edit_language in portal/layout via the bottom two form fields. | ||
| CVE-2017-5877 | Med | 0.40 | 6.1 | 0.01 | Feb 6, 2017 | XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter. | ||
| CVE-2017-5876 | Med | 0.40 | 6.1 | 0.01 | Feb 6, 2017 | XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter. | ||
| CVE-2017-15219 | Med | 0.35 | 5.4 | 0.01 | Oct 10, 2017 | The dotCMS 4.1.1 application is vulnerable to Stored Cross-Site Scripting (XSS) affecting a vanity-urls Title field, a containers Description field, and a templates Description field. | ||
| CVE-2017-5875 | Med | 0.35 | 5.4 | 0.01 | Feb 6, 2017 | XSS was discovered in dotCMS 3.7.0, with an authenticated attack against the /myAccount addressID parameter. | ||
| CVE-2016-3971 | Med | 0.31 | 4.8 | 0.01 | Apr 18, 2016 | Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout. | ||
| CVE-2022-26352 | 0.29 | — | 0.92 | KEV | Jul 17, 2022 | An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage… | ||
| CVE-2016-3972 | Low | 0.18 | 2.7 | 0.01 | Apr 18, 2016 | Directory traversal vulnerability in the dotTailLogServlet in dotCMS before 3.5.1 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the fileName parameter. | ||
| CVE-2020-6754 | 0.06 | — | 0.95 | Feb 5, 2020 | dotCMS before 5.2.4 is vulnerable to directory traversal, leading to incorrect access control. It allows an attacker to read or execute files under $TOMCAT_HOME/webapps/ROOT/assets (which should be a protected directory). Additionally, attackers can upload temporary files (e.g.,… | |||
| CVE-2008-3708 | 0.03 | — | 0.05 | Aug 19, 2008 | Multiple directory traversal vulnerabilities in dotCMS 1.6.0.9 allow remote attackers to read arbitrary files via a .. (dot dot) in the id parameter to (1) news/index.dot and (2) getting_started/macros/macros_detail.dot. | |||
| CVE-2020-19138 | 0.01 | — | 0.06 | Sep 8, 2021 | Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java". | |||
| CVE-2018-17422 | 0.01 | — | 0.04 | Mar 7, 2019 | dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. | |||
| CVE-2025-11165 | 0.00 | — | 0.00 | Feb 24, 2026 | A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime… | |||
| CVE-2024-3938 | 0.00 | — | 0.00 | Jul 25, 2024 | The "reset password" login page accepted an HTML injection via URL parameters. This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/lo… | |||
| CVE-2024-3165 | 0.00 | — | 0.01 | Apr 1, 2024 | System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. OWASP Top 10 - A05)… | |||
| CVE-2024-3164 | 0.00 | — | 0.00 | Apr 1, 2024 | In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access… | |||
| CVE-2023-3042 | 0.00 | — | 0.00 | Oct 17, 2023 | In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should… | |||
| CVE-2022-37034 | 0.00 | — | 0.01 | Feb 1, 2023 | In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests. | |||
| CVE-2022-45783 | 0.00 | — | 0.08 | Feb 1, 2023 | An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution. | |||
| CVE-2022-37033 | 0.00 | — | 0.01 | Feb 1, 2023 | In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns.… | |||
| CVE-2022-45782 | 0.00 | — | 0.01 | Feb 1, 2023 | An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover. | |||
| CVE-2022-35740 | 0.00 | — | 0.01 | Nov 10, 2022 | dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks,… | |||
| CVE-2022-37431 | 0.00 | — | 0.01 | Aug 5, 2022 | A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has… | |||
| CVE-2020-18875 | 0.00 | — | 0.02 | Aug 18, 2021 | Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files. | |||
| CVE-2021-35358 | 0.00 | — | 0.01 | Jul 9, 2021 | A stored cross site scripting (XSS) vulnerability in dotAdmin/#/c/c_Images of dotCMS 21.05.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' and 'Filename' parameters. | |||
| CVE-2021-35361 | 0.00 | — | 0.01 | Jul 9, 2021 | A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/links of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload. | |||
| CVE-2021-35360 | 0.00 | — | 0.01 | Jul 9, 2021 | A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/containers of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload. |
- risk 0.67cvss 9.8epss 0.06
An issue was discovered in dotCMS through 3.6.1. The findChildrenByFilter() function which is called by the web accessible path /categoriesServlet performs string interpolation and direct SQL query execution. SQL quote escaping and a keyword blacklist were implemented in a new…
- risk 0.64cvss —epss 0.02
dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys. The vulnerability was triggered via the…
- risk 0.64cvss 9.9epss 0.00
In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers,…
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in the REST API in dotCMS before 3.3.2 allows remote attackers to execute arbitrary SQL commands via the stName parameter to api/content/save/1.
- risk 0.64cvss 9.8epss 0.03
SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter.
- risk 0.58cvss —epss 0.02
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read,…
- risk 0.57cvss 8.8epss 0.01
The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery. The dotCMS administrator panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user,…
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
- risk 0.53cvss 8.1epss 0.07
The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to arbitrary file upload. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, there are no checks on the types of files…
- risk 0.49cvss 7.5epss 0.02
In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later.
- risk 0.49cvss 7.5epss 0.02
CRLF injection vulnerability in the send email functionality in dotCMS before 3.3.2 allows remote attackers to inject arbitrary email headers via CRLF sequences in the subject.
- risk 0.47cvss 7.2epss 0.08
Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxFileUploadServlet.class in dotCMS 4.1.1 allows remote authenticated administrators to upload .jsp files to arbitrary locations via directory traversal sequences in the fieldName parameter to…
- risk 0.47cvss 7.2epss 0.01
SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter.
- risk 0.42cvss 6.5epss 0.03
The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to path traversal. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its contents are not properly…
- risk 0.42cvss 6.5epss 0.02
SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr.
- risk 0.40cvss 6.1epss 0.01
dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters.
- risk 0.40cvss 7.2epss 0.01
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter.
- risk 0.40cvss 7.2epss 0.01
SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter.
- risk 0.40cvss 6.1epss 0.01
dotCMS 3.7.0 has XSS reachable from ext/languages_manager/edit_language in portal/layout via the bottom two form fields.
- risk 0.40cvss 6.1epss 0.01
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter.
- risk 0.40cvss 6.1epss 0.01
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter.
- risk 0.35cvss 5.4epss 0.01
The dotCMS 4.1.1 application is vulnerable to Stored Cross-Site Scripting (XSS) affecting a vanity-urls Title field, a containers Description field, and a templates Description field.
- risk 0.35cvss 5.4epss 0.01
XSS was discovered in dotCMS 3.7.0, with an authenticated attack against the /myAccount addressID parameter.
- risk 0.31cvss 4.8epss 0.01
Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout.
- risk 0.29cvss —epss 0.92
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage…
- risk 0.18cvss 2.7epss 0.01
Directory traversal vulnerability in the dotTailLogServlet in dotCMS before 3.5.1 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the fileName parameter.
- CVE-2020-6754Feb 5, 2020risk 0.06cvss —epss 0.95
dotCMS before 5.2.4 is vulnerable to directory traversal, leading to incorrect access control. It allows an attacker to read or execute files under $TOMCAT_HOME/webapps/ROOT/assets (which should be a protected directory). Additionally, attackers can upload temporary files (e.g.,…
- CVE-2008-3708Aug 19, 2008risk 0.03cvss —epss 0.05
Multiple directory traversal vulnerabilities in dotCMS 1.6.0.9 allow remote attackers to read arbitrary files via a .. (dot dot) in the id parameter to (1) news/index.dot and (2) getting_started/macros/macros_detail.dot.
- CVE-2020-19138Sep 8, 2021risk 0.01cvss —epss 0.06
Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java".
- CVE-2018-17422Mar 7, 2019risk 0.01cvss —epss 0.04
dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.
- CVE-2025-11165Feb 24, 2026risk 0.00cvss —epss 0.00
A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime…
- CVE-2024-3938Jul 25, 2024risk 0.00cvss —epss 0.00
The "reset password" login page accepted an HTML injection via URL parameters. This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/lo…
- CVE-2024-3165Apr 1, 2024risk 0.00cvss —epss 0.01
System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. OWASP Top 10 - A05)…
- CVE-2024-3164Apr 1, 2024risk 0.00cvss —epss 0.00
In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access…
- CVE-2023-3042Oct 17, 2023risk 0.00cvss —epss 0.00
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should…
- CVE-2022-37034Feb 1, 2023risk 0.00cvss —epss 0.01
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests.
- CVE-2022-45783Feb 1, 2023risk 0.00cvss —epss 0.08
An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution.
- CVE-2022-37033Feb 1, 2023risk 0.00cvss —epss 0.01
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns.…
- CVE-2022-45782Feb 1, 2023risk 0.00cvss —epss 0.01
An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover.
- CVE-2022-35740Nov 10, 2022risk 0.00cvss —epss 0.01
dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application frameworks,…
- CVE-2022-37431Aug 5, 2022risk 0.00cvss —epss 0.01
A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has…
- CVE-2020-18875Aug 18, 2021risk 0.00cvss —epss 0.02
Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files.
- CVE-2021-35358Jul 9, 2021risk 0.00cvss —epss 0.01
A stored cross site scripting (XSS) vulnerability in dotAdmin/#/c/c_Images of dotCMS 21.05.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' and 'Filename' parameters.
- CVE-2021-35361Jul 9, 2021risk 0.00cvss —epss 0.01
A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/links of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload.
- CVE-2021-35360Jul 9, 2021risk 0.00cvss —epss 0.01
A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/containers of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload.
Page 1 of 2