Known Security Issues

Last Updated: Apr 26, 2022
documentation for the dotCMS Content Management System

If you are looking to report a suspected security issue, please read our Responsible Disclosure Policy before doing so.

IssuePublishedTitleSeverityFix Version
SI-622022-03-28Multipart File Directory Traversal can lead to remote executionCritical22.03, 5.3.8.10, 21.06.7
SI-612021-12-20Log4j Zero-Day Exploit (CVE-2021-44228)Critical21.12 (see Mitigations for other versions)
SI-602021-12-14Server-Side Request Forgery (SSRF) in dotcms/coreModerate21.12
SI-592021-12-13Improper Privilege Management in VelocityModerate21.12, 5.3.8.4, 21.06.04
SI-582021-12-10log4j2 JNDI Remote ExpoitCritical21.06.4lts, 5.3.8.6.2lts, 21.12
SI-572021-05-19XStream vulnerable to arbitrary execution of codeCritical21.05, 5.3.8.5
SI-562020-10-30Authenticated User SQL Injection Vulnerability in apiModerate20.10.1, 5.3.8 LTS
SI-552020-06-05Authenticated users may instantiate arbitrary Java objectsModerate5.3.0
SI-542020-01-09Incorrect access control can lead to information disclosure and remote executionCritical5.2.4
SI-532019-06-06SQL Injection Possible By Publisher RoleModerate5.1.6
SI-522019-05-23Reflected XSS Vulnerability in forward_js.jspModerate5.2.0
SI-512019-01-25User Privilege Escalation Possible In Velocity CodeModerate5.1.0
SI-502019-01-24Permissive CORS PolicyLowTBD
SI-492019-01-24Reflected XSS Vulnerability in referer_js.jspModerate5.1.0
SI-482019-01-10File Upload VulnerabilityModerateTBD
SI-472019-01-10File Deletion VulnerabilityModerateTBD
SI-462019-01-10Client Side URL RedirectionModerateTBD
SI-442018-10-03XSS vulnerability with image toolModerate5.0.2
SI-432017-03-12Read access to restricted files in Tomcat on WindowsModeraten/a
SI-422017-03-09Upload of file types unrestrictedLown/a
SI-412017-03-09Bundle path traversalModerate3.7.2
SI-402017-03-09Cross-Site Request Forgery (CSRF)ModeratePlugin
SI-392017-01-17Blind SQL injectionCritical3.6.2
SI-382016-10-31Captcha can be programmatically reused by passing session idLow3.6
SI-372016-07-27Insufficient authentication in the CMSMaintenanceAjax classCritical3.3.2, 3.5.1
SI-362016-04-12SQL Injection from Workflow Screen IIIModerate3.3.2, 3.5
SI-352016-04-12SQL Injection via REST apiCritical3.3.2, 3.5
SI-342016-04-11Directory traversal vulnerability by AdminModerate3.3.2, 3.5
SI-332016-04-11XSS in Lucene Search Admin toolLow3.3.2, 3.5
SI-322016-04-04SQL Injection via DWR - Requires Authenticated UserModerate3.3.2, 3.5
SI-312015-11-30CSRF Add UserCritical3.3
SI-302015-11-30SQL Injection from Workflow Screen IICritical3.3
SI-292015-11-30SSRF Vulnerability in RESTful ContentAPILow3.3
SI-282014-09-23jsps exposed to non-authenticated usersModerate3
SI-272014-09-23XSS on “page not found .jsp”Low3
SI-262014-07-17CRLF Header Injection vulnerabilityModerate3
SI-252014-04-21Password fields with enabled autocompleteLow2.5.4
SI-242014-04-21Missing Cookie Security Attribute “httpOnly”Low2.5.7
SI-232014-04-21HTTP header injectionModerate2.5.4
SI-222014-04-21Arbitrary URL redirectsLow2.5.4
SI-212014-04-21Information disclosure through unauthenticated and unused scriptsCritical2.5.4
SI-202014-04-21Vulnerabilities in “Comments” featureModerate2.5.4
SI-192014-04-21Cross Site Scripting filter bypassModerate2.5.4
SI-182014-04-21Arbitrary Command ExecutionCritical2.5.4
SI-172014-04-21Forgot Password generates weak passwordCritical2.5.4
SI-162013-07-03Stored XSS possible in admin tool as authenticated userLow3
SI-152013-06-18AJAX requests without a session ID or other form of authenticationCritical2.3.2
SI-142013-06-18XSS Vulnerability on Login PageModerate2.3.2
SI-132013-06-10Cross Site Request Forgery (XSRF or CSRF)Lown/a
SI-122013-06-08Possible Clickjacking / no frame busting code in dotCMS adminLow3
SI-112013-06-07Test pages shipped in productLow2.3.2
SI-102013-06-07Insecure Browser CachingLow2.5
SI-92013-06-05Use of Persistent CookiesLown/a
SI-82013-06-05SQL Injection from Workflow ScreenCritical2.3.2
SI-72013-06-04Possible Cross Site RedirectLow2.5
SI-62013-06-04Cross Domain Scripts Included Within ApplicationLown/a
SI-52013-06-02XSS possible after admin authenticationLown/a
SI-42012-09-09XSS error on the account login pageModerate2.2
SI-32012-04-12dotCMS template permissions allow arbitrary code executionModerate1.9.5.1
SI-22011-06-06Cookies do not require SSLModerate2.5.7
SI-12011-02-06Problem with XSS attack on 404 pageLow1.9.2

On this page