Issues » SQL Injection from Workflow Screen III

Issue: SI-36
Date: Apr 12, 2016, 7:15:00 AM
Severity: Medium
Requires Admin Access: Yes
Fix Version: 3.3.2, 3.5
Credit: Elar Lang (Clarified Security – www.clarifiedsecurity.com)
Description:

SQL Injection via workflow screen orderby parameter - requires Authentication.

Mitigation:

Restrict the URL pattern /html/portlet to your administrator's IP range.

References

https://github.com/dotCMS/core/commit/bc4db5d71dc67015572f8e4c6fdf87e29b854d02