CVE-2016-3688

Published: Apr 19, 2016Modified: May 6, 2026

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr.

Affected (1)

Products: Dotcms: Dotcms

Dotcms

1 product

Dotcms

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dotcms Dotcms	Up to 3.3.1

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (8)

http://dotcms.com/security/SI-32

Source: cve@mitre.org

Vendor Advisory

http://packetstormsecurity.com/files/136548/DotCMS-3.3-SQL-Injection.html

Source: cve@mitre.org

Exploit

http://seclists.org/fulldisclosure/2016/Apr/11

Source: cve@mitre.org

http://seclists.org/fulldisclosure/2016/Apr/5

Source: cve@mitre.org

http://dotcms.com/security/SI-32

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://packetstormsecurity.com/files/136548/DotCMS-3.3-SQL-Injection.html

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

http://seclists.org/fulldisclosure/2016/Apr/11

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/fulldisclosure/2016/Apr/5

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.