VYPR

Vendor CVEs

Dotcms

All CVEs

60 total · sorted by risk
  • CVE-2020-17542Apr 23, 2021
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) in dotCMS v5.1.5 allows remote attackers to execute arbitrary code by injecting a malicious payload into the "Task Detail" comment window of the "/dotAdmin/#/c/workflow" component.

  • CVE-2020-27848Dec 30, 2020
    risk 0.00cvss epss 0.01

    dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter. The PaginatorOrdered classes that are used to paginate results of a REST endpoints do not sanitize the orderBy parameter and in some cases it is vulnerable to SQL injection…

  • CVE-2020-35274Dec 21, 2020
    risk 0.00cvss epss 0.01

    DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS.

  • CVE-2019-12872Jun 18, 2019
    risk 0.00cvss epss 0.01

    dotCMS before 5.1.6 is vulnerable to a SQL injection that can be exploited by an attacker of the role Publisher via view_unpushed_bundles.jsp.

  • CVE-2019-12309May 23, 2019
    risk 0.00cvss epss 0.01

    dotCMS before 5.1.0 has a path traversal vulnerability exploitable by an administrator to create files. The vulnerability is caused by the insecure extraction of a ZIP archive.

  • CVE-2019-11846May 14, 2019
    risk 0.00cvss epss 0.01

    /servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XSS and HTML Injection.

  • CVE-2018-19554Nov 26, 2018
    risk 0.00cvss epss 0.01

    An issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp.

  • CVE-2013-3484Apr 2, 2014
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in dotCMS before 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) _loginUserName parameter to application/login/login.html, (2) my_account_login parameter to c/portal_public/login, or (3) email…

  • CVE-2012-1826Jun 8, 2012
    risk 0.00cvss epss 0.02

    dotCMS 1.9 before 1.9.5.1 allows remote authenticated users to execute arbitrary Java code via a crafted (1) XSLT or (2) Velocity template.

  • CVE-2008-2397May 21, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in search-results.dot in dotCMS 1.x allows remote attackers to inject arbitrary web script or HTML via the search_query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

Page 2 of 2