Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Dotcms Subscribe
Total 52 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-8904 1 Dotcms 1 Dotcms 2016-11-29 6.5 MEDIUM 8.8 HIGH
SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8903 1 Dotcms 1 Dotcms 2016-11-29 6.5 MEDIUM 8.8 HIGH
SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8902 1 Dotcms 1 Dotcms 2016-11-29 7.5 HIGH 9.8 CRITICAL
SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter.
CVE-2016-8907 1 Dotcms 1 Dotcms 2016-11-29 6.5 MEDIUM 8.8 HIGH
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8908 1 Dotcms 1 Dotcms 2016-11-29 6.5 MEDIUM 8.8 HIGH
SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8600 1 Dotcms 1 Dotcms 2016-11-28 5.0 MEDIUM 7.5 HIGH
In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later.
CVE-2016-4803 1 Dotcms 1 Dotcms 2016-11-28 5.0 MEDIUM 7.5 HIGH
CRLF injection vulnerability in the send email functionality in dotCMS before 3.3.2 allows remote attackers to inject arbitrary email headers via CRLF sequences in the subject.
CVE-2016-3688 1 Dotcms 1 Dotcms 2016-04-28 4.0 MEDIUM 6.5 MEDIUM
SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr.
CVE-2016-4040 1 Dotcms 1 Dotcms 2016-04-22 6.5 MEDIUM 7.2 HIGH
SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-3972 1 Dotcms 1 Dotcms 2016-04-19 4.0 MEDIUM 2.7 LOW
Directory traversal vulnerability in the dotTailLogServlet in dotCMS before 3.5.1 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the fileName parameter.
CVE-2013-3484 1 Dotcms 1 Dotcms 2014-04-03 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in dotCMS before 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) _loginUserName parameter to application/login/login.html, (2) my_account_login parameter to c/portal_public/login, or (3) email parameter to forgotPassword.
CVE-2012-1826 1 Dotcms 1 Dotcms 2012-11-26 6.0 MEDIUM N/A
dotCMS 1.9 before 1.9.5.1 allows remote authenticated users to execute arbitrary Java code via a crafted (1) XSLT or (2) Velocity template.