Vulnerabilities > Dotcms

DATE CVE VULNERABILITY TITLE RISK
2023-02-01 CVE-2022-37034 Uncontrolled Recursion vulnerability in Dotcms 22.03/22.03.2
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file.
network
low complexity
dotcms CWE-674
5.3
2023-02-01 CVE-2022-37033 Server-Side Request Forgery (SSRF) vulnerability in Dotcms 22.03/22.03.2
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets.
network
low complexity
dotcms CWE-918
6.5
2023-02-01 CVE-2022-45782 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Dotcms
An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1.
network
low complexity
dotcms CWE-640
8.8
2023-02-01 CVE-2022-45783 Path Traversal vulnerability in Dotcms
An issue was discovered in dotCMS core 4.x through 22.10.2.
local
low complexity
dotcms CWE-22
6.5
2022-11-10 CVE-2022-35740 Cross-site Scripting vulnerability in Dotcms
dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter.
network
low complexity
dotcms CWE-79
6.1
2022-07-17 CVE-2022-26352 Unrestricted Upload of File with Dangerous Type vulnerability in Dotcms
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02.
network
dotcms CWE-434
6.8
2021-09-08 CVE-2020-19138 Unrestricted Upload of File with Dangerous Type vulnerability in Dotcms
Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java".
network
low complexity
dotcms CWE-434
critical
10.0
2021-08-18 CVE-2020-18875 Injection vulnerability in Dotcms
Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files.
network
low complexity
dotcms CWE-74
8.8
2021-07-09 CVE-2021-35358 Cross-site Scripting vulnerability in Dotcms 21.05.1
A stored cross site scripting (XSS) vulnerability in dotAdmin/#/c/c_Images of dotCMS 21.05.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' and 'Filename' parameters.
network
dotcms CWE-79
3.5
2021-07-09 CVE-2021-35360 Cross-site Scripting vulnerability in Dotcms 21.05.1
A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/containers of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload.
network
dotcms CWE-79
3.5