Vulnerabilities > Dotcms > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-02-06 CVE-2017-5877 Cross-site Scripting vulnerability in Dotcms 3.7.0
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter.
network
low complexity
dotcms CWE-79
6.1
2017-02-06 CVE-2017-5876 Cross-site Scripting vulnerability in Dotcms 3.7.0
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter.
network
low complexity
dotcms CWE-79
6.1
2017-02-06 CVE-2017-5875 Cross-site Scripting vulnerability in Dotcms 3.7.0
XSS was discovered in dotCMS 3.7.0, with an authenticated attack against the /myAccount addressID parameter.
network
low complexity
dotcms CWE-79
5.4
2016-04-19 CVE-2016-3688 Information Exposure vulnerability in Dotcms
SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr.
network
low complexity
dotcms CWE-200
6.5
2016-04-18 CVE-2016-3971 Cross-site Scripting vulnerability in Dotcms
Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout.
network
low complexity
dotcms CWE-79
4.8