Vulnerabilities > Dotcms > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-02-06 | CVE-2017-5877 | Cross-site Scripting vulnerability in Dotcms 3.7.0 XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter. | 6.1 |
| 2017-02-06 | CVE-2017-5876 | Cross-site Scripting vulnerability in Dotcms 3.7.0 XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter. | 6.1 |
| 2017-02-06 | CVE-2017-5875 | Cross-site Scripting vulnerability in Dotcms 3.7.0 XSS was discovered in dotCMS 3.7.0, with an authenticated attack against the /myAccount addressID parameter. | 5.4 |
| 2016-04-19 | CVE-2016-3688 | Information Exposure vulnerability in Dotcms SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr. | 6.5 |
| 2016-04-18 | CVE-2016-3971 | Cross-site Scripting vulnerability in Dotcms Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout. | 4.8 |