Page 10 of 57 results (0.006 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2

SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. Vulnerabilidad de inyección SQL en la pantalla "Site Browser > Containers pages" en dotCMS en versiones anteriores a 3.3.1 permite a atacantes remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro orderby. dotCMS versions before 3.5, 3.3.1, and 3.3.2 suffer from multiple remote SQL injection vulnerabilities. • http://seclists.org/fulldisclosure/2016/Nov/0 http://www.securityfocus.com/bid/94311 https://github.com/dotCMS/core/pull/8460 https://github.com/dotCMS/core/pull/8468 https://security.elarlang.eu/multiple-sql-injection-vulnerabilities-in-dotcms-8x-cve-full-disclosure.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2

SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. Vulnerabilidad de inyección SQL en la pantalla "Content Types > Content Types" en dotCMS en versiones anteriores a 3.3.1 permite a atacantes remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro orderby. dotCMS versions before 3.5, 3.3.1, and 3.3.2 suffer from multiple remote SQL injection vulnerabilities. • http://seclists.org/fulldisclosure/2016/Nov/0 http://www.securityfocus.com/bid/94311 https://github.com/dotCMS/core/pull/8460 https://github.com/dotCMS/core/pull/8468 https://security.elarlang.eu/multiple-sql-injection-vulnerabilities-in-dotcms-8x-cve-full-disclosure.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2

In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later. En dotCMS 3.2.1, el atacante puede cargar captcha una vez, llenarlo con el valor correcto y entonces este valor correcto es aceptable para formularios de verificación de captcha posteriormente. • http://seclists.org/fulldisclosure/2016/Oct/63 http://www.securityfocus.com/bid/93798 https://github.com/dotCMS/core/issues/9330 https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valid-code.html • CWE-254: 7PK - Security Features CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2

CRLF injection vulnerability in the send email functionality in dotCMS before 3.3.2 allows remote attackers to inject arbitrary email headers via CRLF sequences in the subject. Vulnerabilidad de inyección CRLF en la funcionalidad de envío de correo electrónico en dotCMS en versiones anteriores a 3.3.2 permite a atacantes remotos inyectar cabeceras de correo electrónico arbitrarias a través de secuencias CRLF en el tema. dotCMS versions prior to 3.5 and 3.3.2 suffers from an email header injection vulnerability. • http://seclists.org/fulldisclosure/2016/May/69 http://www.securityfocus.com/bid/91529 https://dotcms.com/docs/latest/change-log#release-3.3.2 https://security.elarlang.eu/cve-2016-4803-dotcms-email-header-injection-vulnerability-full-disclosure.html •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter. Vulnerabilidad de inyección SQL en Workflow Screen en dotCMS en versiones anteriores a 3.3.2 permite a administradores remotos ejecutar comandos SQL arbitrarios a través del parámetro orderby. dotCMS versions before 3.5, 3.3.1, and 3.3.2 suffer from multiple remote SQL injection vulnerabilities. • http://dotcms.com/security/SI-36 https://github.com/dotCMS/core/commit/bc4db5d71dc67015572f8e4c6fdf87e29b854d02 https://github.com/dotCMS/core/issues/8840 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •