CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2CVE-2017-11466
https://notcve.org/view.php?id=CVE-2017-11466
Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxFileUploadServlet.class in dotCMS 4.1.1 allows remote authenticated administrators to upload .jsp files to arbitrary locations via directory traversal sequences in the fieldName parameter to servlets/ajax_file_upload. This results in arbitrary code execution by requesting the .jsp file at a /assets URI. Vulnerabilidad de carga de archivos arbitraria en el archivo com/dotmarketing/servlets/AjaxFileUploadServlet.class en dotCMS versión 4.1.1, permite a los administradores autenticados remotos cargar archivos .jsp en ubicaciones arbitrarias por medio de secuencias de salto de directorio en el parámetro fieldName en servlets/ajax_file_upload. Esto da como resultado la ejecución de código arbitrario mediante la petición del archivo .jsp en un URI /asset. • http://seclists.org/fulldisclosure/2017/Jul/33 https://github.com/dotCMS/core/issues/12131 https://packetstormsecurity.com/files/143383/dotcms411-shell.txt • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6003
https://notcve.org/view.php?id=CVE-2017-6003
dotCMS 3.7.0 has XSS reachable from ext/languages_manager/edit_language in portal/layout via the bottom two form fields. dotCMS 3.7.0 tiene XSS accesible desde ext/languages_manager/edit_language en portal/layout a través de los dos campos de formulario inferiores. • http://www.securityfocus.com/bid/97089 http://www.yiwang6.cn/dotcms.docx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 3CVE-2017-5344 – dotCMS 3.6.1 - Blind Boolean SQL Injection
https://notcve.org/view.php?id=CVE-2017-5344
An issue was discovered in dotCMS through 3.6.1. The findChildrenByFilter() function which is called by the web accessible path /categoriesServlet performs string interpolation and direct SQL query execution. SQL quote escaping and a keyword blacklist were implemented in a new class, SQLUtil (main/java/com/dotmarketing/common/util/SQLUtil.java), as part of the remediation of CVE-2016-8902; however, these can be overcome in the case of the q and inode parameters to the /categoriesServlet path. Overcoming these controls permits a number of blind boolean SQL injection vectors in either parameter. The /categoriesServlet web path can be accessed remotely and without authentication in a default dotCMS deployment. • https://www.exploit-db.com/exploits/41377 http://dotcms.com/security/SI-39 http://seclists.org/fulldisclosure/2017/Feb/34 http://www.securityfocus.com/bid/96259 https://github.com/xdrr/webapp-exploits/blob/master/vendors/dotcms/2017.01.blind-sqli/dotcms-dump.sh • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-5875
https://notcve.org/view.php?id=CVE-2017-5875
XSS was discovered in dotCMS 3.7.0, with an authenticated attack against the /myAccount addressID parameter. XSS fue descubierto en dotCMS 3.7.0, con un ataque autenticado contra el parámetro /myAccount addressID. • http://www.securityfocus.com/bid/96115 https://github.com/dotCMS/core/issues/10643 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-5877
https://notcve.org/view.php?id=CVE-2017-5877
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter. XSS fue descubierto en dotCMS 3.7.0, con un ataque no autenticado contra el parámetro /about-us/locations/index direction. • http://www.securityfocus.com/bid/96115 https://github.com/dotCMS/core/issues/10643 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •