Vulnerabilities > Dotcms > Dotcms > 3.3.2

DATE CVE VULNERABILITY TITLE RISK
2018-07-24 CVE-2017-3189 Unrestricted Upload of File with Dangerous Type vulnerability in Dotcms
The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to arbitrary file upload.
network
dotcms CWE-434
critical
 9.3
9.3
2018-07-24 CVE-2017-3188 Path Traversal vulnerability in Dotcms
The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to path traversal.
network
low complexity
dotcms CWE-22
4.0
4.0
2018-07-24 CVE-2017-3187 Cross-Site Request Forgery (CSRF) vulnerability in Dotcms
The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery.
network
dotcms CWE-352
6.8
6.8
2018-02-19 CVE-2016-10008 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter.
network
low complexity
dotcms CWE-89
6.5
6.5
2018-02-19 CVE-2016-10007 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter.
network
low complexity
dotcms CWE-89
6.5
6.5
2017-02-17 CVE-2017-5344 SQL Injection vulnerability in Dotcms
An issue was discovered in dotCMS through 3.6.1.
network
low complexity
dotcms CWE-89
7.5
7.5
2016-04-18 CVE-2016-3972 Path Traversal vulnerability in Dotcms
Directory traversal vulnerability in the dotTailLogServlet in dotCMS before 3.5.1 allows remote authenticated administrators to read arbitrary files via a ..
network
low complexity
dotcms CWE-22
4.0
4.0
2016-04-18 CVE-2016-3971 Cross-site Scripting vulnerability in Dotcms
Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout.
network
dotcms CWE-79
3.5
3.5