Vulnerabilities > Dotcms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-25 | CVE-2024-3938 | Cross-site Scripting vulnerability in Dotcms The "reset password" login page accepted an HTML injection via URL parameters. This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. | 6.1 |
| 2023-10-17 | CVE-2023-3042 | Cross-site Scripting vulnerability in Dotcms In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. | 6.1 |
| 2023-02-01 | CVE-2022-37034 | Uncontrolled Recursion vulnerability in Dotcms In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. | 5.3 |
| 2023-02-01 | CVE-2022-37033 | Server-Side Request Forgery (SSRF) vulnerability in Dotcms In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. | 6.5 |
| 2023-02-01 | CVE-2022-45782 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Dotcms An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. | 8.8 |
| 2023-02-01 | CVE-2022-45783 | Path Traversal vulnerability in Dotcms An issue was discovered in dotCMS core 4.x through 22.10.2. | 6.5 |
| 2022-11-10 | CVE-2022-35740 | Cross-site Scripting vulnerability in Dotcms dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. | 6.1 |
| 2022-08-05 | CVE-2022-37431 | Cross-site Scripting vulnerability in Dotcms A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. | 6.1 |
| 2022-07-17 | CVE-2022-26352 | Unspecified vulnerability in Dotcms An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. | 9.8 |
| 2021-09-08 | CVE-2020-19138 | Unrestricted Upload of File with Dangerous Type vulnerability in Dotcms Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java". | 9.8 |