| Issue |
Published |
Title |
Severity |
Fix Version |
| SI-72 |
2024-04-19 |
SessionID Visible to All Admins Via Logged Users Tab |
Medium |
24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS |
| SI-71 |
2024-04-08 |
HTML Injection Error on Password Reset Login Page |
Medium |
24.05.31 / 23.01.18 LTS / 23.10.24v11 LTS / 24.04.24v3 LTS |
| SI-70 |
2024-03-15 |
Improper Handling of Database Credentials During Logging |
Medium |
24.03.22 / 22.03.15 LTS / 23.01.15 LTS / 23.10.24v8 LTS |
| SI-69 |
2024-03-15 |
Broken Access Control for Roles with User Admin |
Medium |
24.03.22 / 22.03.15 LTS / 23.01.15 LTS / 23.10.24v8 LTS |
| SI-68 |
2023-06-30 |
Broken Access Control — Normalization Filter |
Medium |
23.06+, LTS 22.03.7+, LTS 23.01.4+ |
| SI-67 |
2022-12-15 |
Directory Traversal with RCE |
Medium |
22.12+, LTS 21.06.12+, LTS 22.03.4+ |
| SI-66 |
2022-11-30 |
Insecure random number generation in password reset token |
High |
22.12+, LTS 21.06.12+, LTS 22.03.4+ |
| SI-65 |
2022-08-17 |
Possible DOS by overloading the TempFileResource |
Low |
22.10+, LTS 21.06.12+, LTS 22.03.4+ |
| SI-64 |
2022-08-25 |
TempFileAPI can bypass access restrictions to access local/private network resources |
Medium |
22.08+, LTS 21.06.12+, LTS 22.03.4+ |
| SI-63 |
2022-06-14 |
Matrix URI parameters can expose private assets |
Medium |
22.06, 22.03.2, 21.06.9, 5.3.8.12 |
| SI-62 |
2022-03-28 |
Multipart File Directory Traversal can lead to remote execution |
Critical |
22.03, 5.3.8.10, 21.06.7 |
| SI-61 |
2021-12-20 |
Log4j Zero-Day Exploit (CVE-2021-44228) |
Critical |
21.12 (see Mitigations for other versions) |
| SI-60 |
2021-12-14 |
Server-Side Request Forgery (SSRF) in dotcms/core |
Medium |
21.12 |
| SI-59 |
2021-12-13 |
Improper Privilege Management in Velocity |
Medium |
21.12, 5.3.8.4, 21.06.04 |
| SI-58 |
2021-12-10 |
log4j2 JNDI Remote Expoit |
Critical |
21.06.4lts, 5.3.8.6.2lts, 21.12 |
| SI-57 |
2021-05-19 |
XStream vulnerable to arbitrary execution of code |
Critical |
21.05, 5.3.8.5 |
| SI-56 |
2020-10-30 |
Authenticated User SQL Injection Vulnerability in api |
Medium |
20.10.1, 5.3.8 LTS |
| SI-55 |
2020-06-05 |
Authenticated users may instantiate arbitrary Java objects |
Medium |
5.3.0 |
| SI-54 |
2020-01-09 |
Incorrect access control can lead to information disclosure and remote execution |
Critical |
5.2.4 |
| SI-53 |
2019-06-06 |
SQL Injection Possible By Publisher Role |
Medium |
5.1.6 |
| SI-52 |
2019-05-23 |
Reflected XSS Vulnerability in forward_js.jsp |
Medium |
5.2.0 |
| SI-51 |
2019-01-25 |
User Privilege Escalation Possible In Velocity Code |
Medium |
5.1.0 |
| SI-50 |
2019-01-24 |
Permissive CORS Policy |
Low |
TBD |
| SI-49 |
2019-01-24 |
Reflected XSS Vulnerability in referer_js.jsp |
Medium |
5.1.0 |
| SI-48 |
2019-01-10 |
File Upload Vulnerability |
Medium |
TBD |
| SI-47 |
2019-01-10 |
File Deletion Vulnerability |
Medium |
TBD |
| SI-46 |
2019-01-10 |
Client Side URL Redirection |
Medium |
TBD |
| SI-45 |
2018-09-01 |
BeanUtil version 1.9.2 and below allows classloader manipulation |
Medium |
5.0.0 |
| SI-44 |
2018-10-03 |
XSS vulnerability with image tool |
Medium |
5.0.2 |
| SI-43 |
2017-03-12 |
Read access to restricted files in Tomcat on Windows |
Medium |
n/a |
| SI-42 |
2017-03-09 |
Upload of file types unrestricted |
Low |
n/a |
| SI-41 |
2017-03-09 |
Bundle path traversal |
Medium |
3.7.2 |
| SI-40 |
2017-03-09 |
Cross-Site Request Forgery (CSRF) |
Medium |
Plugin |
| SI-39 |
2017-01-17 |
Blind SQL injection |
Critical |
3.6.2 |
| SI-38 |
2016-10-31 |
Captcha can be programmatically reused by passing session id |
Low |
3.6 |
| SI-37 |
2016-07-27 |
Insufficient authentication in the CMSMaintenanceAjax class |
Critical |
3.3.2, 3.5.1 |
| SI-36 |
2016-04-12 |
SQL Injection from Workflow Screen III |
Medium |
3.3.2, 3.5 |
| SI-35 |
2016-04-12 |
SQL Injection via REST api |
Critical |
3.3.2, 3.5 |
| SI-34 |
2016-04-11 |
Directory traversal vulnerability by Admin |
Medium |
3.3.2, 3.5 |
| SI-33 |
2016-04-11 |
XSS in Lucene Search Admin tool |
Low |
3.3.2, 3.5 |
| SI-32 |
2016-04-04 |
SQL Injection via DWR - Requires Authenticated User |
Medium |
3.3.2, 3.5 |
| SI-31 |
2015-11-30 |
CSRF Add User |
Critical |
3.3 |
| SI-30 |
2015-11-30 |
SQL Injection from Workflow Screen II |
Critical |
3.3 |
| SI-29 |
2015-11-30 |
SSRF Vulnerability in RESTful ContentAPI |
Low |
3.3 |
| SI-28 |
2014-09-23 |
jsps exposed to non-authenticated users |
Medium |
3 |
| SI-27 |
2014-09-23 |
XSS on "page not found .jsp" |
Low |
3 |
| SI-26 |
2014-07-17 |
CRLF Header Injection vulnerability |
Medium |
3 |
| SI-25 |
2014-04-21 |
Password fields with enabled autocomplete |
Low |
2.5.4 |
| SI-24 |
2014-04-21 |
Missing Cookie Security Attribute “httpOnly” |
Low |
2.5.7 |
| SI-23 |
2014-04-21 |
HTTP header injection |
Medium |
2.5.4 |
| SI-22 |
2014-04-21 |
Arbitrary URL redirects |
Low |
2.5.4 |
| SI-21 |
2014-04-21 |
Information disclosure through unauthenticated and unused scripts |
Critical |
2.5.4 |
| SI-20 |
2014-04-21 |
Vulnerabilities in “Comments” feature |
Medium |
2.5.4 |
| SI-19 |
2014-04-21 |
Cross Site Scripting filter bypass |
Medium |
2.5.4 |
| SI-18 |
2014-04-21 |
Arbitrary Command Execution |
Critical |
2.5.4 |
| SI-17 |
2014-04-21 |
Forgot Password generates weak password |
Critical |
2.5.4 |
| SI-16 |
2013-07-03 |
Stored XSS possible in admin tool as authenticated user |
Low |
3 |
| SI-15 |
2013-06-18 |
AJAX requests without a session ID or other form of authentication |
Critical |
2.3.2 |
| SI-14 |
2013-06-18 |
XSS Vulnerability on Login Page |
Medium |
2.3.2 |
| SI-13 |
2013-06-10 |
Cross Site Request Forgery (XSRF or CSRF) |
Low |
n/a |
| SI-12 |
2013-06-08 |
Possible Clickjacking / no frame busting code in dotCMS admin |
Low |
3 |
| SI-11 |
2013-06-07 |
Test pages shipped in product |
Low |
2.3.2 |
| SI-10 |
2013-06-07 |
Insecure Browser Caching |
Low |
2.5 |
| SI-9 |
2013-06-05 |
Use of Persistent Cookies |
Low |
n/a |
| SI-8 |
2013-06-05 |
SQL Injection from Workflow Screen |
Critical |
2.3.2 |
| SI-7 |
2013-06-04 |
Possible Cross Site Redirect |
Low |
2.5 |
| SI-6 |
2013-06-04 |
Cross Domain Scripts Included Within Application |
Low |
n/a |
| SI-5 |
2013-06-02 |
XSS possible after admin authentication |
Medium |
n/a |
| SI-4 |
2012-09-09 |
XSS error on the account login page |
Medium |
2.2 |
| SI-3 |
2012-04-12 |
dotCMS template permissions allow arbitrary code execution |
Medium |
1.9.5.1 |
| SI-2 |
2011-06-06 |
Cookies do not require SSL |
Medium |
2.5.7 |
| SI-1 |
2011-02-06 |
Problem with XSS attack on 404 page |
Low |
1.9.2 |
/
