Dotcms

Dotcms

58 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2022-35740

Exploit
  • EPSS 1.02%
  • Veröffentlicht 10.11.2022 21:15:10
  • Zuletzt bearbeitet 01.05.2025 14:15:25

dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in 5.3.8.12, 21.06.9, and 22.03.2 for LTS users.) Some J...

6.1

CVE-2022-37431

  • EPSS 0.25%
  • Veröffentlicht 05.08.2022 06:15:08
  • Zuletzt bearbeitet 21.11.2024 07:14:58

A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in...

9.8

CVE-2022-26352

Warnung Exploit
  • EPSS 94.34%
  • Veröffentlicht 17.07.2022 22:15:08
  • Zuletzt bearbeitet 03.11.2025 15:52:14

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside...

10

CVE-2020-19138

Exploit
  • EPSS 9.29%
  • Veröffentlicht 08.09.2021 21:15:09
  • Zuletzt bearbeitet 21.11.2024 05:08:57

Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java".

8.8

CVE-2020-18875

  • EPSS 1.3%
  • Veröffentlicht 18.08.2021 17:15:07
  • Zuletzt bearbeitet 21.11.2024 05:08:49

Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files.

4.8

CVE-2021-35361

Exploit
  • EPSS 0.39%
  • Veröffentlicht 09.07.2021 22:15:08
  • Zuletzt bearbeitet 21.11.2024 06:12:15

A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/links of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload.

4.8

CVE-2021-35360

Exploit
  • EPSS 0.36%
  • Veröffentlicht 09.07.2021 22:15:08
  • Zuletzt bearbeitet 21.11.2024 06:12:15

A reflected cross site scripting (XSS) vulnerability in dotAdmin/#/c/containers of dotCMS 21.05.1 allows attackers to execute arbitrary commands or HTML via a crafted payload.

4.8

CVE-2021-35358

Exploit
  • EPSS 0.4%
  • Veröffentlicht 09.07.2021 22:15:08
  • Zuletzt bearbeitet 21.11.2024 06:12:15

A stored cross site scripting (XSS) vulnerability in dotAdmin/#/c/c_Images of dotCMS 21.05.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' and 'Filename' parameters.

5.4

CVE-2020-17542

Exploit
  • EPSS 0.3%
  • Veröffentlicht 23.04.2021 21:15:07
  • Zuletzt bearbeitet 21.11.2024 05:08:19

Cross Site Scripting (XSS) in dotCMS v5.1.5 allows remote attackers to execute arbitrary code by injecting a malicious payload into the "Task Detail" comment window of the "/dotAdmin/#/c/workflow" component.

8.8

CVE-2020-27848

Exploit
  • EPSS 0.44%
  • Veröffentlicht 30.12.2020 19:15:13
  • Zuletzt bearbeitet 21.11.2024 05:21:55

dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter. The PaginatorOrdered classes that are used to paginate results of a REST endpoints do not sanitize the orderBy parameter and in some cases it is ...