CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Dotcms » Dotcms » 3.7.0 : Security Vulnerabilities

Cpe Name:cpe:/a:dotcms:dotcms:3.7.0
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-12872 89 Sql 2019-06-18 2019-06-18
6.5
None Remote Low Single system Partial Partial Partial
dotCMS before 5.1.6 is vulnerable to a SQL injection that can be exploited by an attacker of the role Publisher via view_unpushed_bundles.jsp.
2 CVE-2019-12309 22 Dir. Trav. 2019-05-23 2019-05-24
4.0
None Remote Low Single system None Partial None
dotCMS before 5.1.0 has a path traversal vulnerability exploitable by an administrator to create files. The vulnerability is caused by the insecure extraction of a ZIP archive.
3 CVE-2017-6003 79 XSS 2017-03-26 2017-03-28
4.3
None Remote Medium Not required None Partial None
dotCMS 3.7.0 has XSS reachable from ext/languages_manager/edit_language in portal/layout via the bottom two form fields.
4 CVE-2017-5877 79 XSS 2017-02-06 2017-02-09
4.3
None Remote Medium Not required None Partial None
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter.
5 CVE-2017-5876 79 XSS 2017-02-06 2017-02-09
4.3
None Remote Medium Not required None Partial None
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter.
6 CVE-2017-5875 79 XSS 2017-02-06 2017-02-09
3.5
None Remote Medium Single system None Partial None
XSS was discovered in dotCMS 3.7.0, with an authenticated attack against the /myAccount addressID parameter.
7 CVE-2016-10008 89 Exec Code Sql 2018-02-19 2018-03-05
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter.
8 CVE-2016-10007 89 Exec Code Sql 2018-02-19 2018-03-05
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter.
Total number of vulnerabilities : 8   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.