Filtered by vendor Dotcms
Subscribe
Search
Total
15 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-17542 | 1 Dotcms | 1 Dotcms | 2021-04-30 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in dotCMS v5.1.5 allows remote attackers to execute arbitrary code by injecting a malicious payload into the "Task Detail" comment window of the "/dotAdmin/#/c/workflow" component. | |||||
| CVE-2020-35274 | 1 Dotcms | 1 Dotcms | 2020-12-21 | 3.5 LOW | 4.8 MEDIUM |
| DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS. | |||||
| CVE-2017-3188 | 1 Dotcms | 1 Dotcms | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to path traversal. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its contents are not properly checked, allowing for writing files to arbitrary directories on the file system. These archives may be uploaded directly via the administrator panel, or using the CSRF vulnerability (CVE-2017-3187). An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application. | |||||
| CVE-2019-12309 | 1 Dotcms | 1 Dotcms | 2019-05-24 | 4.0 MEDIUM | 4.9 MEDIUM |
| dotCMS before 5.1.0 has a path traversal vulnerability exploitable by an administrator to create files. The vulnerability is caused by the insecure extraction of a ZIP archive. | |||||
| CVE-2019-11846 | 1 Dotcms | 1 Dotcms | 2019-05-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| /servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XSS and HTML Injection. | |||||
| CVE-2017-5877 | 1 Dotcms | 1 Dotcms | 2019-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter. | |||||
| CVE-2017-5876 | 1 Dotcms | 1 Dotcms | 2019-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter. | |||||
| CVE-2017-5875 | 1 Dotcms | 1 Dotcms | 2019-03-15 | 3.5 LOW | 5.4 MEDIUM |
| XSS was discovered in dotCMS 3.7.0, with an authenticated attack against the /myAccount addressID parameter. | |||||
| CVE-2017-6003 | 1 Dotcms | 1 Dotcms | 2019-03-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| dotCMS 3.7.0 has XSS reachable from ext/languages_manager/edit_language in portal/layout via the bottom two form fields. | |||||
| CVE-2018-17422 | 1 Dotcms | 1 Dotcms | 2019-03-08 | 5.8 MEDIUM | 6.1 MEDIUM |
| dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. | |||||
| CVE-2018-19554 | 1 Dotcms | 1 Dotcms | 2019-03-06 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp. | |||||
| CVE-2018-16980 | 1 Dotcms | 1 Dotcms | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters. | |||||
| CVE-2017-15219 | 1 Dotcms | 1 Dotcms | 2017-10-25 | 3.5 LOW | 5.4 MEDIUM |
| The dotCMS 4.1.1 application is vulnerable to Stored Cross-Site Scripting (XSS) affecting a vanity-urls Title field, a containers Description field, and a templates Description field. | |||||
| CVE-2016-3971 | 1 Dotcms | 1 Dotcms | 2016-12-16 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout. | |||||
| CVE-2016-3688 | 1 Dotcms | 1 Dotcms | 2016-04-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr. | |||||