Vulnerabilities > Dotcms
|2023-02-01||CVE-2022-37034|| Uncontrolled Recursion vulnerability in Dotcms 22.03/22.03.2 |
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file.
| 5.3 |
|2023-02-01||CVE-2022-37033|| Server-Side Request Forgery (SSRF) vulnerability in Dotcms 22.03/22.03.2 |
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets.
| 6.5 |
|2023-02-01||CVE-2022-45782|| Weak Password Recovery Mechanism for Forgotten Password vulnerability in Dotcms |
An issue was discovered in dotCMS core 220.127.116.11 through 18.104.22.168 and 21.03 through 22.10.1.
| 8.8 |
|2023-02-01||CVE-2022-45783|| Path Traversal vulnerability in Dotcms |
An issue was discovered in dotCMS core 4.x through 22.10.2.
| 6.5 |
|2022-11-10||CVE-2022-35740|| Cross-site Scripting vulnerability in Dotcms |
dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter.
| 6.1 |
|2022-07-17||CVE-2022-26352|| Unrestricted Upload of File with Dangerous Type vulnerability in Dotcms |
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02.
| 6.8 |
|2021-09-08||CVE-2020-19138|| Unrestricted Upload of File with Dangerous Type vulnerability in Dotcms |
Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java".
| 10.0 |
|2021-08-18||CVE-2020-18875|| Injection vulnerability in Dotcms |
Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files.
| 8.8 |
|2021-07-09||CVE-2021-35358|| Cross-site Scripting vulnerability in Dotcms 21.05.1 |
A stored cross site scripting (XSS) vulnerability in dotAdmin/#/c/c_Images of dotCMS 21.05.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' and 'Filename' parameters.
| 3.5 |
|2021-07-09||CVE-2021-35360|| Cross-site Scripting vulnerability in Dotcms 21.05.1 |
A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/containers of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload.
| 3.5 |