CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-5877
https://notcve.org/view.php?id=CVE-2017-5877
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter. XSS fue descubierto en dotCMS 3.7.0, con un ataque no autenticado contra el parámetro /about-us/locations/index direction. • http://www.securityfocus.com/bid/96115 https://github.com/dotCMS/core/issues/10643 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-5876
https://notcve.org/view.php?id=CVE-2017-5876
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter. XSS fue descubierto en dotCMS 3.7.0, con un ataque no autenticado contra el parámetro /news-events/events date. • http://www.securityfocus.com/bid/96115 https://github.com/dotCMS/core/issues/10643 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-2355
https://notcve.org/view.php?id=CVE-2016-2355
SQL injection vulnerability in the REST API in dotCMS before 3.3.2 allows remote attackers to execute arbitrary SQL commands via the stName parameter to api/content/save/1. Vulnerabilidad de inyección SQL en la API REST en dotCMS en versiones anteriores a 3.3.2 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro stName a api/content/save/1. • http://dotcms.com/security/SI-35 http://www.securityfocus.com/bid/94992 https://github.com/dotCMS/core/issues/8848 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2016-8902 – dotCMS 3.x SQL Injection
https://notcve.org/view.php?id=CVE-2016-8902
SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter. Vulnerabilidad de inyección SQL en el servlet categoriesServlet en dotCMS en versiones anteriores a 3.3.1 permite a atacantes remotos no autenticados ejecutar comandos SQL arbitrarios a través del parámetro sort dotCMS versions before 3.5, 3.3.1, and 3.3.2 suffer from multiple remote SQL injection vulnerabilities. • http://seclists.org/fulldisclosure/2016/Nov/0 http://www.securityfocus.com/bid/94311 https://github.com/dotCMS/core/pull/8460 https://github.com/dotCMS/core/pull/8468 https://security.elarlang.eu/multiple-sql-injection-vulnerabilities-in-dotcms-8x-cve-full-disclosure.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2016-8903 – dotCMS 3.x SQL Injection
https://notcve.org/view.php?id=CVE-2016-8903
SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. Vulnerabilidad de inyección SQL en la pantalla "Site Browser > Templates pages" en dotCMS en versiones anteriores a 3.3.1 permite a atacantes remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro orderby. dotCMS versions before 3.5, 3.3.1, and 3.3.2 suffer from multiple remote SQL injection vulnerabilities. • http://seclists.org/fulldisclosure/2016/Nov/0 http://www.securityfocus.com/bid/94311 https://github.com/dotCMS/core/pull/8460 https://github.com/dotCMS/core/pull/8468 https://security.elarlang.eu/multiple-sql-injection-vulnerabilities-in-dotcms-8x-cve-full-disclosure.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •