Vendor CVEs
Dotcms
All CVEs
60 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-17542 | 0.00 | — | 0.01 | Apr 23, 2021 | Cross Site Scripting (XSS) in dotCMS v5.1.5 allows remote attackers to execute arbitrary code by injecting a malicious payload into the "Task Detail" comment window of the "/dotAdmin/#/c/workflow" component. | |||
| CVE-2020-27848 | 0.00 | — | 0.01 | Dec 30, 2020 | dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter. The PaginatorOrdered classes that are used to paginate results of a REST endpoints do not sanitize the orderBy parameter and in some cases it is vulnerable to SQL injection… | |||
| CVE-2020-35274 | 0.00 | — | 0.01 | Dec 21, 2020 | DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS. | |||
| CVE-2019-12872 | 0.00 | — | 0.01 | Jun 18, 2019 | dotCMS before 5.1.6 is vulnerable to a SQL injection that can be exploited by an attacker of the role Publisher via view_unpushed_bundles.jsp. | |||
| CVE-2019-12309 | 0.00 | — | 0.01 | May 23, 2019 | dotCMS before 5.1.0 has a path traversal vulnerability exploitable by an administrator to create files. The vulnerability is caused by the insecure extraction of a ZIP archive. | |||
| CVE-2019-11846 | 0.00 | — | 0.01 | May 14, 2019 | /servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XSS and HTML Injection. | |||
| CVE-2018-19554 | 0.00 | — | 0.01 | Nov 26, 2018 | An issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp. | |||
| CVE-2013-3484 | 0.00 | — | 0.02 | Apr 2, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in dotCMS before 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) _loginUserName parameter to application/login/login.html, (2) my_account_login parameter to c/portal_public/login, or (3) email… | |||
| CVE-2012-1826 | 0.00 | — | 0.02 | Jun 8, 2012 | dotCMS 1.9 before 1.9.5.1 allows remote authenticated users to execute arbitrary Java code via a crafted (1) XSLT or (2) Velocity template. | |||
| CVE-2008-2397 | 0.00 | — | 0.01 | May 21, 2008 | Cross-site scripting (XSS) vulnerability in search-results.dot in dotCMS 1.x allows remote attackers to inject arbitrary web script or HTML via the search_query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party… |
- CVE-2020-17542Apr 23, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) in dotCMS v5.1.5 allows remote attackers to execute arbitrary code by injecting a malicious payload into the "Task Detail" comment window of the "/dotAdmin/#/c/workflow" component.
- CVE-2020-27848Dec 30, 2020risk 0.00cvss —epss 0.01
dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter. The PaginatorOrdered classes that are used to paginate results of a REST endpoints do not sanitize the orderBy parameter and in some cases it is vulnerable to SQL injection…
- CVE-2020-35274Dec 21, 2020risk 0.00cvss —epss 0.01
DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS.
- CVE-2019-12872Jun 18, 2019risk 0.00cvss —epss 0.01
dotCMS before 5.1.6 is vulnerable to a SQL injection that can be exploited by an attacker of the role Publisher via view_unpushed_bundles.jsp.
- CVE-2019-12309May 23, 2019risk 0.00cvss —epss 0.01
dotCMS before 5.1.0 has a path traversal vulnerability exploitable by an administrator to create files. The vulnerability is caused by the insecure extraction of a ZIP archive.
- CVE-2019-11846May 14, 2019risk 0.00cvss —epss 0.01
/servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XSS and HTML Injection.
- CVE-2018-19554Nov 26, 2018risk 0.00cvss —epss 0.01
An issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp.
- CVE-2013-3484Apr 2, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in dotCMS before 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) _loginUserName parameter to application/login/login.html, (2) my_account_login parameter to c/portal_public/login, or (3) email…
- CVE-2012-1826Jun 8, 2012risk 0.00cvss —epss 0.02
dotCMS 1.9 before 1.9.5.1 allows remote authenticated users to execute arbitrary Java code via a crafted (1) XSLT or (2) Velocity template.
- CVE-2008-2397May 21, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in search-results.dot in dotCMS 1.x allows remote attackers to inject arbitrary web script or HTML via the search_query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…
Page 2 of 2