Vulnerability Details : CVE-2012-1826
dotCMS 1.9 before 1.9.5.1 allows remote authenticated users to execute arbitrary Java code via a crafted (1) XSLT or (2) Velocity template.
Products affected by CVE-2012-1826
- cpe:2.3:a:dotcms:dotcms:1.9.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:dotcms:dotcms:1.9:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-1826
0.49%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-1826
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
CWE ids for CVE-2012-1826
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-1826
-
http://dotcms.com/dotCMSVersions/
404 | dotCMS
-
https://github.com/dotCMS/dotCMS/issues/261
Fix XSLT Scripting Exploit · Issue #261 · dotCMS/core · GitHub
-
https://gist.github.com/2627440
XSLT Tool Patch · GitHub
-
http://www.securityfocus.com/bid/53688
dotCMS CVE-2012-1826 Arbitrary Code Execution Vulnerability
-
http://www.kb.cert.org/vuls/id/898083
VU#898083 - dotCMS template permissions allow arbitrary code executionUS Government Resource
-
https://github.com/dotCMS/dotCMS/issues/281
Make the default uberspector of of Velocity use the Secure One · Issue #281 · dotCMS/core · GitHub
Jump to