A SQL injection attack is possible via the Content REST api if the api is set to allow for anonymous content saving (which is the shipped default).

• Deny access to /api endpoints to anonymous/off network traffic
• Set REST_API_REJECT_WITH_NO_USER=true in dotmarketing-config.properties

• https://github.com/dotCMS/core/issues/8848
• CERT issue CVE-2016-2355