Vulnerabilities > Dotcms > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-05-14 CVE-2019-11846 Cross-site Scripting vulnerability in Dotcms 5.1.1
/servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XSS and HTML Injection.
network
dotcms CWE-79
4.3
2019-03-07 CVE-2018-17422 Open Redirect vulnerability in Dotcms
dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.
network
dotcms CWE-601
5.8
2018-11-26 CVE-2018-19554 Cross-site Scripting vulnerability in Dotcms
An issue was discovered in Dotcms through 5.0.3.
network
low complexity
dotcms CWE-79
5.4
2018-09-12 CVE-2018-16980 Cross-site Scripting vulnerability in Dotcms 5.0.1
dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters.
network
dotcms CWE-79
4.3
2018-07-24 CVE-2017-3188 Path Traversal vulnerability in Dotcms
The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to path traversal.
network
low complexity
dotcms CWE-22
4.0
2018-07-24 CVE-2017-3187 Cross-Site Request Forgery (CSRF) vulnerability in Dotcms
The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery.
network
dotcms CWE-352
6.8
2018-02-19 CVE-2016-10008 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter.
network
low complexity
dotcms CWE-89
6.5
2018-02-19 CVE-2016-10007 SQL Injection vulnerability in Dotcms
SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter.
network
low complexity
dotcms CWE-89
6.5
2017-03-27 CVE-2017-6003 Cross-site Scripting vulnerability in Dotcms 3.7.0
dotCMS 3.7.0 has XSS reachable from ext/languages_manager/edit_language in portal/layout via the bottom two form fields.
network
dotcms CWE-79
4.3
2017-02-06 CVE-2017-5877 Cross-site Scripting vulnerability in Dotcms 3.7.0
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter.
network
dotcms CWE-79
4.3