Vulnerabilities > Dotcms

DATE CVE VULNERABILITY TITLE RISK
2016-11-14 CVE-2016-8904 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
network
low complexity
dotcms CWE-89
6.5
6.5
2016-11-14 CVE-2016-8903 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
network
low complexity
dotcms CWE-89
6.5
6.5
2016-11-14 CVE-2016-8902 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter.
network
low complexity
dotcms CWE-89
7.5
7.5
2016-10-28 CVE-2016-8600 Permissions, Privileges, and Access Controls vulnerability in Dotcms 3.2.1
In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later.
network
low complexity
dotcms CWE-264
5.0
5.0
2016-06-30 CVE-2016-4803 Email Header Injection vulnerability in dotCMS
CRLF injection vulnerability in the send email functionality in dotCMS before 3.3.2 allows remote attackers to inject arbitrary email headers via CRLF sequences in the subject.
network
low complexity
dotcms
5.0
5.0
2016-04-19 CVE-2016-4040 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter.
network
low complexity
dotcms CWE-89
6.5
6.5
2016-04-19 CVE-2016-3688 Information Exposure vulnerability in Dotcms
SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr.
network
low complexity
dotcms CWE-200
4.0
4.0
2016-04-18 CVE-2016-3972 Path Traversal vulnerability in Dotcms
Directory traversal vulnerability in the dotTailLogServlet in dotCMS before 3.5.1 allows remote authenticated administrators to read arbitrary files via a ..
network
low complexity
dotcms CWE-22
4.0
4.0
2016-04-18 CVE-2016-3971 Cross-site Scripting vulnerability in Dotcms
Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout.
network
dotcms CWE-79
3.5
3.5
2014-04-02 CVE-2013-3484 Cross-Site Scripting vulnerability in Dotcms
Multiple cross-site scripting (XSS) vulnerabilities in dotCMS before 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) _loginUserName parameter to application/login/login.html, (2) my_account_login parameter to c/portal_public/login, or (3) email parameter to forgotPassword.
network
dotcms CWE-79
4.3
4.3