Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
dotcms dotcms vulnerabilities and exploits
(subscribe to this query)
7.2
CVSSv3
CVE-2016-10007
SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS prior to 3.7.2 and 4.x prior to 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter.
Dotcms Dotcms
7.2
CVSSv3
CVE-2016-10008
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS prior to 3.7.2 and 4.x prior to 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter.
Dotcms Dotcms
7.2
CVSSv3
CVE-2017-11466
Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxFileUploadServlet.class in dotCMS 4.1.1 allows remote authenticated administrators to upload .jsp files to arbitrary locations via directory traversal sequences in the fieldName parameter to servlets/ajax_file_u...
Dotcms Dotcms 4.1.1
7.2
CVSSv3
CVE-2016-4040
SQL injection vulnerability in the Workflow Screen in dotCMS prior to 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter.
Dotcms Dotcms
6.5
CVSSv3
CVE-2022-45783
An issue exists in dotCMS core 4.x up to and including 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution.
Dotcms Dotcms
6.5
CVSSv3
CVE-2022-37033
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Be...
Dotcms Dotcms
6.5
CVSSv3
CVE-2017-3188
The dotCMS administration panel, versions 3.7.1 and previous versions, "Push Publishing" feature in Enterprise Pro is vulnerable to path traversal. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its con...
Dotcms Dotcms
6.5
CVSSv3
CVE-2016-3688
SQL injection vulnerability in dotCMS prior to 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr.
Dotcms Dotcms
6.1
CVSSv3
CVE-2023-3042
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotc...
Dotcms Dotcms 23.01
Dotcms Dotcms 5.3.8
Dotcms Dotcms 21.06
Dotcms Dotcms 22.03
6.1
CVSSv3
CVE-2022-35740
dotCMS prior to 22.06 allows remote malicious users to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some Java application framew...
Dotcms Dotcms
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-23316
SQL injection
type confusion
CVE-2024-20697
CVE-2024-4344
local
CVE-2024-30043
CVE-2024-3821
CVE-2024-5041
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
NEXT »