Page 3 of 44 results (0.012 seconds)

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0

dotCMS before 5.1.0 has a path traversal vulnerability exploitable by an administrator to create files. The vulnerability is caused by the insecure extraction of a ZIP archive. dotCMS anterior a la versión 5.1.0, tiene una vulnerabilidad de control incorrecto a rutas de directorios restringidos (path traversal) explotable por un administrador para crear archivos. La vulnerabilidad es causa la extracción insegura de un archivo ZIP. • https://dotcms.com/security/SI-48 https://github.com/dotCMS/core/compare/605e5db...364c910 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. dotCMS, en versiones anteriores a la 5.0.2, tiene redireccionamientos abiertos mediante los parámetros FORWARD_URL en html/common/forward_js.jsp o hostname en html/portlet/ext/common/page_preview_popup.jsp. • https://github.com/dotCMS/core/issues/15286 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

An issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp. Se ha descubierto un problema en Dotcms hasta su versión 5.0.3. Los atacantes podrían realizar ataques de Cross-Site Scripting (XSS) mediante los parámetros inode, identifier o fieldName en html/js/dotcms/dijit/image/image_tool.jsp. • https://medium.com/%40buxuqua/dotcms-xss-65cdc4174815 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters. dotCMS V5.0.1 tiene Cross-Site Scripting (XSS) en los parámetros fieldName e inode en /html/portlet/ext/contentlet/image_tools/index.jsp. • https://github.com/dotCMS/core/issues/15274 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery. The dotCMS administrator panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application. El panel de administración de dotCMS, en versiones 3.7.1 y anteriores, es vulnerable a Cross-Site Request Forgery (CSRF). • http://www.securityfocus.com/bid/96616 https://www.kb.cert.org/vuls/id/168699 • CWE-352: Cross-Site Request Forgery (CSRF) •