Vulnerabilities > Dotcms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-07-20 | CVE-2017-11466 | Unrestricted Upload of File with Dangerous Type vulnerability in Dotcms 4.1.1 Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxFileUploadServlet.class in dotCMS 4.1.1 allows remote authenticated administrators to upload .jsp files to arbitrary locations via directory traversal sequences in the fieldName parameter to servlets/ajax_file_upload. | 7.2 |
| 2017-03-27 | CVE-2017-6003 | Cross-site Scripting vulnerability in Dotcms 3.7.0 dotCMS 3.7.0 has XSS reachable from ext/languages_manager/edit_language in portal/layout via the bottom two form fields. | 6.1 |
| 2017-02-17 | CVE-2017-5344 | SQL Injection vulnerability in Dotcms An issue was discovered in dotCMS through 3.6.1. | 9.8 |
| 2017-02-06 | CVE-2017-5877 | Cross-site Scripting vulnerability in Dotcms 3.7.0 XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter. | 6.1 |
| 2017-02-06 | CVE-2017-5876 | Cross-site Scripting vulnerability in Dotcms 3.7.0 XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter. | 6.1 |
| 2017-02-06 | CVE-2017-5875 | Cross-site Scripting vulnerability in Dotcms 3.7.0 XSS was discovered in dotCMS 3.7.0, with an authenticated attack against the /myAccount addressID parameter. | 5.4 |
| 2016-12-19 | CVE-2016-2355 | SQL Injection vulnerability in Dotcms SQL injection vulnerability in the REST API in dotCMS before 3.3.2 allows remote attackers to execute arbitrary SQL commands via the stName parameter to api/content/save/1. | 9.8 |
| 2016-11-14 | CVE-2016-8908 | SQL Injection vulnerability in Dotcms SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | 8.8 |
| 2016-11-14 | CVE-2016-8907 | SQL Injection vulnerability in Dotcms SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | 8.8 |
| 2016-11-14 | CVE-2016-8906 | SQL Injection vulnerability in Dotcms SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | 8.8 |