Dotcms

dotcms

57 CVEs • 1 product

Products (1)

Click to collapse

Toggle

CVEs (57)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-8908 1Dotcms 1Dotcms May 6, 2026 Nov 14, 2016 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8907 1Dotcms 1Dotcms May 6, 2026 Nov 14, 2016 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8906 1Dotcms 1Dotcms May 6, 2026 Nov 14, 2016 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8905 1Dotcms 1Dotcms May 6, 2026 Nov 14, 2016 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter.
CVE-2016-8904 1Dotcms 1Dotcms May 6, 2026 Nov 14, 2016 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8903 1Dotcms 1Dotcms May 6, 2026 Nov 14, 2016 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-8902 1Dotcms 1Dotcms May 6, 2026 Nov 14, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter.
CVE-2016-8600 1Dotcms 1Dotcms May 6, 2026 Oct 28, 2016 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later.
CVE-2016-4803 1Dotcms 1Dotcms May 6, 2026 Jun 30, 2016 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 CRLF injection vulnerability in the send email functionality in dotCMS before 3.3.2 allows remote attackers to inject arbitrary email headers via CRLF sequences in the subject.
CVE-2016-4040 1Dotcms 1Dotcms May 6, 2026 Apr 19, 2016 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter.
CVE-2016-3688 1Dotcms 1Dotcms May 6, 2026 Apr 19, 2016 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr.
CVE-2016-3972 1Dotcms 1Dotcms May 6, 2026 Apr 18, 2016 N/A· v4 2.7 LOW· v3 4.0 MEDIUM· v2 Directory traversal vulnerability in the dotTailLogServlet in dotCMS before 3.5.1 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the fileName parameter.
CVE-2016-3971 1Dotcms 1Dotcms May 6, 2026 Apr 18, 2016 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout.
CVE-2013-3484 1Dotcms 1Dotcms May 6, 2026 Apr 2, 2014 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in dotCMS before 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) _loginUserName parameter to application/login/login.html, (2) my_accoun...Show more Multiple cross-site scripting (XSS) vulnerabilities in dotCMS before 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) _loginUserName parameter to application/login/login.html, (2) my_account_login parameter to c/portal_public/login, or (3) email parameter to forgotPassword.Show less
CVE-2012-1826 1Dotcms 1Dotcms Apr 29, 2026 Jun 8, 2012 N/A· v4 N/A· v3 6.0 MEDIUM· v2 dotCMS 1.9 before 1.9.5.1 allows remote authenticated users to execute arbitrary Java code via a crafted (1) XSLT or (2) Velocity template.
CVE-2008-3708 1Dotcms 1Dotcms Apr 23, 2026 Aug 19, 2008 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple directory traversal vulnerabilities in dotCMS 1.6.0.9 allow remote attackers to read arbitrary files via a .. (dot dot) in the id parameter to (1) news/index.dot and (2) getting_started/macros/macros_detail.dot.
CVE-2008-2397 1Dotcms 1Dotcms Apr 23, 2026 May 21, 2008 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in search-results.dot in dotCMS 1.x allows remote attackers to inject arbitrary web script or HTML via the search_query parameter. NOTE: the provenance of this information is unk...Show more Cross-site scripting (XSS) vulnerability in search-results.dot in dotCMS 1.x allows remote attackers to inject arbitrary web script or HTML via the search_query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.Show less