Known Security Issues documentation for the dotCMS Content Management System

If you are looking to report a suspected security issue, please read our Responsible Disclosure Policy before doing so.

Issue Published Title Severity Fix Version
SI-57 2021-05-19 XStream vulnerable to arbitrary execution of code Critical 21.05,
SI-56 2020-10-30 Authenticated User SQL Injection Vulnerability in api Moderate 20.10.1, 5.3.8 LTS
SI-55 2020-06-05 Authenticated users may instantiate arbitrary Java objects Moderate 5.3.0
SI-54 2020-01-09 Incorrect access control can lead to information disclosure and remote execution Critical 5.2.4
SI-53 2019-06-06 SQL Injection Possible By Publisher Role Moderate 5.1.6
SI-52 2019-05-23 Reflected XSS Vulnerability in forward_js.jsp Moderate 5.2.0
SI-51 2019-01-25 User Privilege Escalation Possible In Velocity Code Moderate 5.1.0
SI-50 2019-01-24 Permissive CORS Policy Low TBD
SI-49 2019-01-24 Reflected XSS Vulnerability in referer_js.jsp Moderate 5.1.0
SI-48 2019-01-10 File Upload Vulnerability Moderate TBD
SI-47 2019-01-10 File Deletion Vulnerability Moderate TBD
SI-46 2019-01-10 Client Side URL Redirection Moderate TBD
SI-44 2018-10-03 XSS vulnerability with image tool Moderate 5.0.2
SI-43 2017-03-12 Read access to restricted files in Tomcat on Windows Moderate n/a
SI-42 2017-03-09 Upload of file types unrestricted Low n/a
SI-40 2017-03-09 Cross-Site Request Forgery (CSRF) Moderate Plugin
SI-41 2017-03-09 Bundle path traversal Moderate 3.7.2
SI-39 2017-01-17 Blind SQL injection Critical 3.6.2
SI-38 2016-10-31 Captcha can be programmatically reused by passing session id Low 3.6
SI-37 2016-07-27 Insufficient authentication in the CMSMaintenanceAjax class Critical 3.3.2, 3.5.1
SI-36 2016-04-12 SQL Injection from Workflow Screen III Moderate 3.3.2, 3.5
SI-35 2016-04-12 SQL Injection via REST api Critical 3.3.2, 3.5
SI-34 2016-04-11 Directory traversal vulnerability by Admin Moderate 3.3.2, 3.5
SI-33 2016-04-11 XSS in Lucene Search Admin tool Low 3.3.2, 3.5
SI-32 2016-04-04 SQL Injection via DWR - Requires Authenticated User Moderate 3.3.2, 3.5
SI-31 2015-11-30 CSRF Add User Critical 3.3
SI-30 2015-11-30 SQL Injection from Workflow Screen II Critical 3.3
SI-29 2015-11-30 SSRF Vulnerability in RESTful ContentAPI Low 3.3
SI-28 2014-09-23 jsps exposed to non-authenticated users Moderate 3
SI-27 2014-09-23 XSS on "page not found .jsp" Low 3
SI-26 2014-07-17 CRLF Header Injection vulnerability Moderate 3
SI-25 2014-04-21 Password fields with enabled autocomplete Low 2.5.4
SI-24 2014-04-21 Missing Cookie Security Attribute “httpOnly” Low 2.5.7
SI-23 2014-04-21 HTTP header injection Moderate 2.5.4
SI-22 2014-04-21 Arbitrary URL redirects Low 2.5.4
SI-21 2014-04-21 Information disclosure through unauthenticated and unused scripts Critical 2.5.4
SI-20 2014-04-21 Vulnerabilities in “Comments” feature Moderate 2.5.4
SI-19 2014-04-21 Cross Site Scripting filter bypass Moderate 2.5.4
SI-18 2014-04-21 Arbitrary Command Execution Critical 2.5.4
SI-17 2014-04-21 Forgot Password generates weak password Critical 2.5.4
SI-16 2013-07-03 Stored XSS possible in admin tool as authenticated user Low 3
SI-15 2013-06-18 AJAX requests without a session ID or other form of authentication Critical 2.3.2
SI-14 2013-06-18 XSS Vulnerability on Login Page Moderate 2.3.2
SI-13 2013-06-10 Cross Site Request Forgery (XSRF or CSRF) Low n/a
SI-12 2013-06-08 Possible Clickjacking / no frame busting code in dotCMS admin Low 3
SI-11 2013-06-07 Test pages shipped in product Low 2.3.2
SI-10 2013-06-07 Insecure Browser Caching Low 2.5
SI-9 2013-06-05 Use of Persistent Cookies Low n/a
SI-8 2013-06-05 SQL Injection from Workflow Screen Critical 2.3.2
SI-7 2013-06-04 Possible Cross Site Redirect Low 2.5
SI-6 2013-06-04 Cross Domain Scripts Included Within Application Low n/a
SI-5 2013-06-02 XSS possible after admin authentication Low n/a
SI-4 2012-09-09 XSS error on the account login page Moderate 2.2
SI-3 2012-04-12 dotCMS template permissions allow arbitrary code execution Moderate
SI-2 2011-06-06 Cookies do not require SSL Moderate 2.5.7
SI-1 2011-02-06 Problem with XSS attack on 404 page Low 1.9.2