Vulnerabilities > Dotcms > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-02-06 | CVE-2017-5876 | Cross-site Scripting vulnerability in Dotcms 3.7.0 XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter. | 4.3 |
| 2016-11-14 | CVE-2016-8908 | SQL Injection vulnerability in Dotcms SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | 6.5 |
| 2016-11-14 | CVE-2016-8907 | SQL Injection vulnerability in Dotcms SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | 6.5 |
| 2016-11-14 | CVE-2016-8906 | SQL Injection vulnerability in Dotcms SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | 6.5 |
| 2016-11-14 | CVE-2016-8905 | SQL Injection vulnerability in Dotcms SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter. | 6.5 |
| 2016-11-14 | CVE-2016-8904 | SQL Injection vulnerability in Dotcms SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | 6.5 |
| 2016-11-14 | CVE-2016-8903 | SQL Injection vulnerability in Dotcms SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | 6.5 |
| 2016-10-28 | CVE-2016-8600 | Permissions, Privileges, and Access Controls vulnerability in Dotcms 3.2.1 In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later. | 5.0 |
| 2016-06-30 | CVE-2016-4803 | Email Header Injection vulnerability in dotCMS CRLF injection vulnerability in the send email functionality in dotCMS before 3.3.2 allows remote attackers to inject arbitrary email headers via CRLF sequences in the subject. | 5.0 |
| 2016-04-19 | CVE-2016-4040 | SQL Injection vulnerability in Dotcms SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter. | 6.5 |