Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
dotcms vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2024-3164
In dotCMS dashboard, the Tools and Log Files tabs under System ? Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to t...
NA
CVE-2024-3165
System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. OWASP Top 10 - A05) I...
NA
CVE-2023-3042
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotc...
Dotcms Dotcms 23.01
Dotcms Dotcms 5.3.8
Dotcms Dotcms 21.06
Dotcms Dotcms 22.03
NA
CVE-2022-37034
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests.
Dotcms Dotcms
NA
CVE-2022-45782
An issue exists in dotCMS core 5.3.8.5 up to and including 5.3.8.15 and 21.03 up to and including 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover.
Dotcms Dotcms
NA
CVE-2022-45783
An issue exists in dotCMS core 4.x up to and including 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution.
Dotcms Dotcms
NA
CVE-2022-37033
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Be...
Dotcms Dotcms
NA
CVE-2022-35740
dotCMS prior to 22.06 allows remote malicious users to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application framew...
Dotcms Dotcms
NA
CVE-2022-37431
A Reflected Cross-site scripting (XSS) issue exists in dotCMS Core up to and including 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTIO...
Dotcms Dotcms
6.8
CVSSv2
CVE-2022-26352
An issue exists in the ContentResource API in dotCMS 3.0 up to and including 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage l...
Dotcms Dotcms
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977
IMAP
local users
CVE-2024-32038
CVE-2023-49963
CVE-2023-22869
CVE-2024-31497
local
CVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
6
NEXT »