Vulnerabilities > Dotcms > Dotcms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-17 | CVE-2023-3042 | Cross-site Scripting vulnerability in Dotcms In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. | 6.1 |
| 2023-02-01 | CVE-2022-37034 | Uncontrolled Recursion vulnerability in Dotcms 22.03/22.03.2 In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. | 5.3 |
| 2023-02-01 | CVE-2022-37033 | Server-Side Request Forgery (SSRF) vulnerability in Dotcms 22.03/22.03.2 In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. | 6.5 |
| 2023-02-01 | CVE-2022-45782 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Dotcms An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. | 8.8 |
| 2023-02-01 | CVE-2022-45783 | Path Traversal vulnerability in Dotcms An issue was discovered in dotCMS core 4.x through 22.10.2. | 6.5 |
| 2022-11-10 | CVE-2022-35740 | Cross-site Scripting vulnerability in Dotcms dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. | 6.1 |
| 2022-08-05 | CVE-2022-37431 | Cross-site Scripting vulnerability in Dotcms A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. | 6.1 |
| 2022-07-17 | CVE-2022-26352 | Unspecified vulnerability in Dotcms An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. | 9.8 |
| 2021-09-08 | CVE-2020-19138 | Unrestricted Upload of File with Dangerous Type vulnerability in Dotcms Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java". | 10.0 |
| 2021-08-18 | CVE-2020-18875 | Injection vulnerability in Dotcms Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files. | 8.8 |