Vulnerabilities > Dotcms

DATE CVE VULNERABILITY TITLE RISK
2019-05-14 CVE-2019-11846 Cross-site Scripting vulnerability in Dotcms 5.1.1
/servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XSS and HTML Injection.
network
low complexity
dotcms CWE-79
6.1
2019-03-07 CVE-2018-17422 Open Redirect vulnerability in Dotcms
dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.
network
low complexity
dotcms CWE-601
6.1
2018-11-26 CVE-2018-19554 Cross-site Scripting vulnerability in Dotcms
An issue was discovered in Dotcms through 5.0.3.
network
low complexity
dotcms CWE-79
5.4
2018-09-12 CVE-2018-16980 Cross-site Scripting vulnerability in Dotcms 5.0.1
dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters.
network
low complexity
dotcms CWE-79
6.1
2018-07-24 CVE-2017-3189 Unrestricted Upload of File with Dangerous Type vulnerability in Dotcms
The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to arbitrary file upload.
network
high complexity
dotcms CWE-434
8.1
2018-07-24 CVE-2017-3188 Path Traversal vulnerability in Dotcms
The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to path traversal.
network
low complexity
dotcms CWE-22
6.5
2018-07-24 CVE-2017-3187 Cross-Site Request Forgery (CSRF) vulnerability in Dotcms
The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery.
network
low complexity
dotcms CWE-352
8.8
2018-02-19 CVE-2016-10008 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter.
network
low complexity
dotcms CWE-89
7.2
2018-02-19 CVE-2016-10007 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter.
network
low complexity
dotcms CWE-89
7.2
2017-10-10 CVE-2017-15219 Cross-site Scripting vulnerability in Dotcms 4.1.1
The dotCMS 4.1.1 application is vulnerable to Stored Cross-Site Scripting (XSS) affecting a vanity-urls Title field, a containers Description field, and a templates Description field.
network
low complexity
dotcms CWE-79
5.4