Vulnerabilities > Dotcms > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-07-25 CVE-2024-3938 Cross-site Scripting vulnerability in Dotcms
The "reset password" login page accepted an HTML injection via URL parameters. This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link.
network
low complexity
dotcms CWE-79
6.1
2023-10-17 CVE-2023-3042 Cross-site Scripting vulnerability in Dotcms
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls.
network
low complexity
dotcms CWE-79
6.1
2023-02-01 CVE-2022-37034 Uncontrolled Recursion vulnerability in Dotcms 22.03/22.03.2
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file.
network
low complexity
dotcms CWE-674
5.3
2023-02-01 CVE-2022-37033 Server-Side Request Forgery (SSRF) vulnerability in Dotcms 22.03/22.03.2
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets.
network
low complexity
dotcms CWE-918
6.5
2023-02-01 CVE-2022-45783 Path Traversal vulnerability in Dotcms
An issue was discovered in dotCMS core 4.x through 22.10.2.
local
low complexity
dotcms CWE-22
6.5
2022-11-10 CVE-2022-35740 Cross-site Scripting vulnerability in Dotcms
dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter.
network
low complexity
dotcms CWE-79
6.1
2022-08-05 CVE-2022-37431 Cross-site Scripting vulnerability in Dotcms
A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06.
network
low complexity
dotcms CWE-79
6.1
2020-12-30 CVE-2020-27848 SQL Injection vulnerability in Dotcms
dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter.
network
low complexity
dotcms CWE-89
6.5
2019-06-18 CVE-2019-12872 SQL Injection vulnerability in Dotcms
dotCMS before 5.1.6 is vulnerable to a SQL injection that can be exploited by an attacker of the role Publisher via view_unpushed_bundles.jsp.
network
low complexity
dotcms CWE-89
6.5
2019-05-23 CVE-2019-12309 Path Traversal vulnerability in Dotcms
dotCMS before 5.1.0 has a path traversal vulnerability exploitable by an administrator to create files.
network
low complexity
dotcms CWE-22
4.0