Vulmon
Recent Vulnerabilities
Product List
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
dotcms dotcms vulnerabilities and exploits
(subscribe to this query)
5.4
CVSSv3
CVE-2018-19554
An issue exists in Dotcms up to and including 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp.
Dotcms Dotcms
8.8
CVSSv3
CVE-2020-18875
Incorrect Access Control in DotCMS versions prior to 5.1 allows remote malicious users to gain privileges by injecting client configurations via vtl (velocity) files.
Dotcms Dotcms
5.3
CVSSv3
CVE-2022-37034
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests.
Dotcms Dotcms
6.1
CVSSv3
CVE-2022-37431
A Reflected Cross-site scripting (XSS) issue exists in dotCMS Core up to and including 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTIO...
Dotcms Dotcms
8.8
CVSSv3
CVE-2017-3187
The dotCMS administration panel, versions 3.7.1 and previous versions, are vulnerable to cross-site request forgery. The dotCMS administrator panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim us...
Dotcms Dotcms
8.1
CVSSv3
CVE-2017-3189
The dotCMS administration panel, versions 3.7.1 and previous versions, "Push Publishing" feature in Enterprise Pro is vulnerable to arbitrary file upload. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, there are no chec...
Dotcms Dotcms
7.2
CVSSv3
CVE-2016-10007
SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS prior to 3.7.2 and 4.x prior to 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter.
Dotcms Dotcms
7.2
CVSSv3
CVE-2016-10008
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS prior to 3.7.2 and 4.x prior to 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter.
Dotcms Dotcms
7.5
CVSSv3
CVE-2016-4803
CRLF injection vulnerability in the send email functionality in dotCMS prior to 3.3.2 allows remote malicious users to inject arbitrary email headers via CRLF sequences in the subject.
Dotcms Dotcms
9.8
CVSSv3
CVE-2020-6754
dotCMS prior to 5.2.4 is vulnerable to directory traversal, leading to incorrect access control. It allows an malicious user to read or execute files under $TOMCAT_HOME/webapps/ROOT/assets (which should be a protected directory). Additionally, attackers can upload temporary files...
Dotcms Dotcms
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
SSRF
server-side request forgery
CVE-2024-30067
CVE-2024-5553
CVE-2024-30095
IDOR
CVE-2024-35252
CVE-2024-23692
CVE-2024-27801
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
NEXT »