Vulnerabilities > Dotcms

DATE CVE VULNERABILITY TITLE RISK
2017-03-27 CVE-2017-6003 Cross-site Scripting vulnerability in Dotcms 3.7.0
dotCMS 3.7.0 has XSS reachable from ext/languages_manager/edit_language in portal/layout via the bottom two form fields.
network
dotcms CWE-79
4.3
4.3
2017-02-17 CVE-2017-5344 SQL Injection vulnerability in Dotcms
An issue was discovered in dotCMS through 3.6.1.
network
low complexity
dotcms CWE-89
7.5
7.5
2017-02-06 CVE-2017-5877 Cross-site Scripting vulnerability in Dotcms 3.7.0
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter.
network
dotcms CWE-79
4.3
4.3
2017-02-06 CVE-2017-5876 Cross-site Scripting vulnerability in Dotcms 3.7.0
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter.
network
dotcms CWE-79
4.3
4.3
2017-02-06 CVE-2017-5875 Cross-site Scripting vulnerability in Dotcms 3.7.0
XSS was discovered in dotCMS 3.7.0, with an authenticated attack against the /myAccount addressID parameter.
network
dotcms CWE-79
3.5
3.5
2016-12-19 CVE-2016-2355 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the REST API in dotCMS before 3.3.2 allows remote attackers to execute arbitrary SQL commands via the stName parameter to api/content/save/1.
network
low complexity
dotcms CWE-89
7.5
7.5
2016-11-14 CVE-2016-8908 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
network
low complexity
dotcms CWE-89
6.5
6.5
2016-11-14 CVE-2016-8907 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
network
low complexity
dotcms CWE-89
6.5
6.5
2016-11-14 CVE-2016-8906 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
network
low complexity
dotcms CWE-89
6.5
6.5
2016-11-14 CVE-2016-8905 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter.
network
low complexity
dotcms CWE-89
6.5
6.5