Known Security Issues

Last Updated: Jan 30, 2023
documentation for the dotCMS Content Management System
RSS
Issue Published Title Severity Fix Version
SI-72 2024-04-19 SessionID Visible to All Admins Via Logged Users Tab Medium 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS
SI-71 2024-04-08 HTML Injection Error on Password Reset Login Page Medium 24.05.31 / 23.01.18 LTS / 23.10.24v11 LTS / 24.04.24v3 LTS
SI-70 2024-03-15 Improper Handling of Database Credentials During Logging Medium 24.03.22 / 22.03.15 LTS / 23.01.15 LTS / 23.10.24v8 LTS
SI-69 2024-03-15 Broken Access Control for Roles with User Admin Medium 24.03.22 / 22.03.15 LTS / 23.01.15 LTS / 23.10.24v8 LTS
SI-68 2023-06-30 Broken Access Control — Normalization Filter Medium 23.06+, LTS 22.03.7+, LTS 23.01.4+
SI-67 2022-12-15 Directory Traversal with RCE Medium 22.12+, LTS 21.06.12+, LTS 22.03.4+
SI-66 2022-11-30 Insecure random number generation in password reset token High 22.12+, LTS 21.06.12+, LTS 22.03.4+
SI-65 2022-08-17 Possible DOS by overloading the TempFileResource Low 22.10+, LTS 21.06.12+, LTS 22.03.4+
SI-64 2022-08-25 TempFileAPI can bypass access restrictions to access local/private network resources Medium 22.08+, LTS 21.06.12+, LTS 22.03.4+
SI-63 2022-06-14 Matrix URI parameters can expose private assets Medium 22.06, 22.03.2, 21.06.9, 5.3.8.12
SI-62 2022-03-28 Multipart File Directory Traversal can lead to remote execution Critical 22.03, 5.3.8.10, 21.06.7
SI-61 2021-12-20 Log4j Zero-Day Exploit (CVE-2021-44228) Critical 21.12 (see Mitigations for other versions)
SI-60 2021-12-14 Server-Side Request Forgery (SSRF) in dotcms/core Medium 21.12
SI-59 2021-12-13 Improper Privilege Management in Velocity Medium 21.12, 5.3.8.4, 21.06.04
SI-58 2021-12-10 log4j2 JNDI Remote Expoit Critical 21.06.4lts, 5.3.8.6.2lts, 21.12
SI-57 2021-05-19 XStream vulnerable to arbitrary execution of code Critical 21.05, 5.3.8.5
SI-56 2020-10-30 Authenticated User SQL Injection Vulnerability in api Medium 20.10.1, 5.3.8 LTS
SI-55 2020-06-05 Authenticated users may instantiate arbitrary Java objects Medium 5.3.0
SI-54 2020-01-09 Incorrect access control can lead to information disclosure and remote execution Critical 5.2.4
SI-53 2019-06-06 SQL Injection Possible By Publisher Role Medium 5.1.6
SI-52 2019-05-23 Reflected XSS Vulnerability in forward_js.jsp Medium 5.2.0
SI-51 2019-01-25 User Privilege Escalation Possible In Velocity Code Medium 5.1.0
SI-50 2019-01-24 Permissive CORS Policy Low TBD
SI-49 2019-01-24 Reflected XSS Vulnerability in referer_js.jsp Medium 5.1.0
SI-48 2019-01-10 File Upload Vulnerability Medium TBD
SI-47 2019-01-10 File Deletion Vulnerability Medium TBD
SI-46 2019-01-10 Client Side URL Redirection Medium TBD
SI-45 2018-09-01 BeanUtil version 1.9.2 and below allows classloader manipulation Medium 5.0.0
SI-44 2018-10-03 XSS vulnerability with image tool Medium 5.0.2
SI-43 2017-03-12 Read access to restricted files in Tomcat on Windows Medium n/a
SI-42 2017-03-09 Upload of file types unrestricted Low n/a
SI-41 2017-03-09 Bundle path traversal Medium 3.7.2
SI-40 2017-03-09 Cross-Site Request Forgery (CSRF) Medium Plugin
SI-39 2017-01-17 Blind SQL injection Critical 3.6.2
SI-38 2016-10-31 Captcha can be programmatically reused by passing session id Low 3.6
SI-37 2016-07-27 Insufficient authentication in the CMSMaintenanceAjax class Critical 3.3.2, 3.5.1
SI-36 2016-04-12 SQL Injection from Workflow Screen III Medium 3.3.2, 3.5
SI-35 2016-04-12 SQL Injection via REST api Critical 3.3.2, 3.5
SI-34 2016-04-11 Directory traversal vulnerability by Admin Medium 3.3.2, 3.5
SI-33 2016-04-11 XSS in Lucene Search Admin tool Low 3.3.2, 3.5
SI-32 2016-04-04 SQL Injection via DWR - Requires Authenticated User Medium 3.3.2, 3.5
SI-31 2015-11-30 CSRF Add User Critical 3.3
SI-30 2015-11-30 SQL Injection from Workflow Screen II Critical 3.3
SI-29 2015-11-30 SSRF Vulnerability in RESTful ContentAPI Low 3.3
SI-28 2014-09-23 jsps exposed to non-authenticated users Medium 3
SI-27 2014-09-23 XSS on "page not found .jsp" Low 3
SI-26 2014-07-17 CRLF Header Injection vulnerability Medium 3
SI-25 2014-04-21 Password fields with enabled autocomplete Low 2.5.4
SI-24 2014-04-21 Missing Cookie Security Attribute “httpOnly” Low 2.5.7
SI-23 2014-04-21 HTTP header injection Medium 2.5.4
SI-22 2014-04-21 Arbitrary URL redirects Low 2.5.4
SI-21 2014-04-21 Information disclosure through unauthenticated and unused scripts Critical 2.5.4
SI-20 2014-04-21 Vulnerabilities in “Comments” feature Medium 2.5.4
SI-19 2014-04-21 Cross Site Scripting filter bypass Medium 2.5.4
SI-18 2014-04-21 Arbitrary Command Execution Critical 2.5.4
SI-17 2014-04-21 Forgot Password generates weak password Critical 2.5.4
SI-16 2013-07-03 Stored XSS possible in admin tool as authenticated user Low 3
SI-15 2013-06-18 AJAX requests without a session ID or other form of authentication Critical 2.3.2
SI-14 2013-06-18 XSS Vulnerability on Login Page Medium 2.3.2
SI-13 2013-06-10 Cross Site Request Forgery (XSRF or CSRF) Low n/a
SI-12 2013-06-08 Possible Clickjacking / no frame busting code in dotCMS admin Low 3
SI-11 2013-06-07 Test pages shipped in product Low 2.3.2
SI-10 2013-06-07 Insecure Browser Caching Low 2.5
SI-9 2013-06-05 Use of Persistent Cookies Low n/a
SI-8 2013-06-05 SQL Injection from Workflow Screen Critical 2.3.2
SI-7 2013-06-04 Possible Cross Site Redirect Low 2.5
SI-6 2013-06-04 Cross Domain Scripts Included Within Application Low n/a
SI-5 2013-06-02 XSS possible after admin authentication Medium n/a
SI-4 2012-09-09 XSS error on the account login page Medium 2.2
SI-3 2012-04-12 dotCMS template permissions allow arbitrary code execution Medium 1.9.5.1
SI-2 2011-06-06 Cookies do not require SSL Medium 2.5.7
SI-1 2011-02-06 Problem with XSS attack on 404 page Low 1.9.2

On this page

×

We Dig Feedback

Selected excerpt:

×