| Issue |
Published |
Title |
Severity |
Fix Version |
| SI-18 |
2014-04-21 |
Arbitrary Command Execution |
Critical |
2.5.4 |
| SI-35 |
2016-04-12 |
SQL Injection via REST api |
Critical |
3.3.2, 3.5 |
| SI-8 |
2013-06-05 |
SQL Injection from Workflow Screen |
Critical |
2.3.2 |
| SI-15 |
2013-06-18 |
AJAX requests without a session ID or other form of authentication |
Critical |
2.3.2 |
| SI-17 |
2014-04-21 |
Forgot Password generates weak password |
Critical |
2.5.4 |
| SI-39 |
2017-01-17 |
Blind SQL injection |
Critical |
3.6.2 |
| SI-37 |
2016-07-27 |
Insufficient authentication in the CMSMaintenanceAjax class |
Critical |
3.3.2, 3.5.1 |
| SI-21 |
2014-04-21 |
Information disclosure through unauthenticated and unused scripts |
Critical |
2.5.4 |
| SI-31 |
2015-11-30 |
CSRF Add User |
Critical |
3.3 |
| SI-30 |
2015-11-30 |
SQL Injection from Workflow Screen II |
Critical |
3.3 |
| SI-49 |
2019-01-24 |
Reflected XSS Vulnerability in referer_js.jsp |
Moderate |
5.1.0 |
| SI-48 |
2019-01-10 |
File Upload Vulnerability |
Moderate |
TBD |
| SI-40 |
2017-03-09 |
Cross-Site Request Forgery (CSRF) |
Moderate |
Plugin |
| SI-19 |
2014-04-21 |
Cross Site Scripting filter bypass |
Moderate |
2.5.4 |
| SI-2 |
2011-06-06 |
Cookies do not require SSL |
Moderate |
2.5.7 |
| SI-51 |
2019-01-25 |
User Privilege Escalation Possible In Velocity Code |
Moderate |
5.1.0 |
| SI-52 |
2019-05-23 |
Reflected XSS Vulnerability in forward_js.jsp |
Moderate |
5.2.0 |
| SI-4 |
2012-09-10 |
XSS error on the account login page |
Moderate |
2.2 |
| SI-26 |
2014-07-17 |
CRLF Header Injection vulnerability |
Moderate |
3 |
| SI-44 |
2018-10-04 |
XSS vulnerability with image tool |
Moderate |
5.0.2 |
| SI-41 |
2017-03-09 |
Bundle path traversal |
Moderate |
3.7.2 |
| SI-28 |
2014-09-24 |
jsps exposed to non-authenticated users |
Moderate |
3 |
| SI-32 |
2016-04-04 |
SQL Injection via DWR - Requires Authenticated User |
Moderate |
3.3.2, 3.5 |
| SI-43 |
2017-03-13 |
Read access to restricted files in Tomcat on Windows |
Moderate |
n/a |
| SI-23 |
2014-04-21 |
HTTP header injection |
Moderate |
2.5.4 |
| SI-34 |
2016-04-11 |
Directory traversal vulnerability by Admin |
Moderate |
3.3.2, 3.5 |
| SI-53 |
2019-06-06 |
SQL Injection Possible By Publisher Role |
Moderate |
5.1.6 |
| SI-20 |
2014-04-21 |
Vulnerabilities in “Comments” feature |
Moderate |
2.5.4 |
| SI-46 |
2019-01-10 |
Client Side URL Redirection |
Moderate |
TBD |
| SI-47 |
2019-01-10 |
File Deletion Vulnerability |
Moderate |
TBD |
| SI-36 |
2016-04-12 |
SQL Injection from Workflow Screen III |
Moderate |
3.3.2, 3.5 |
| SI-3 |
2012-04-13 |
dotCMS template permissions allow arbitrary code execution |
Moderate |
1.9.5.1 |
| SI-14 |
2013-06-18 |
XSS Vulnerability on Login Page |
Moderate |
2.3.2 |
| SI-9 |
2013-06-05 |
Use of Persistent Cookies |
Low |
n/a |
| SI-24 |
2014-04-21 |
Missing Cookie Security Attribute “httpOnly” |
Low |
2.5.7 |
| SI-13 |
2013-06-10 |
Cross Site Request Forgery (XSRF or CSRF) |
Low |
n/a |
| SI-1 |
2011-02-07 |
Problem with XSS attack on 404 page |
Low |
1.9.2 |
| SI-38 |
2016-11-01 |
Captcha can be programmatically reused by passing session id |
Low |
3.6 |
| SI-11 |
2013-06-07 |
Test pages shipped in product |
Low |
2.3.2 |
| SI-16 |
2013-07-03 |
XSS possible in admin tool as authenticated user |
Low |
3 |
| SI-33 |
2016-04-11 |
XSS in Lucene Search Admin tool |
Low |
3.3.2, 3.5 |
| SI-12 |
2013-06-08 |
Possible Clickjacking / no frame busting code in dotCMS admin |
Low |
3 |
| SI-29 |
2015-11-30 |
SSRF Vulnerability in RESTful ContentAPI |
Low |
3.3 |
| SI-25 |
2014-04-21 |
Password fields with enabled autocomplete |
Low |
2.5.4 |
| SI-50 |
2019-01-24 |
Permissive CORS Policy |
Low |
TBD |
| SI-10 |
2013-06-07 |
Insecure Browser Caching |
Low |
2.5 |
| SI-27 |
2014-09-23 |
XSS on "page not found .jsp" |
Low |
3 |
| SI-6 |
2013-06-04 |
Cross Domain Scripts Included Within Application |
Low |
n/a |
| SI-42 |
2017-03-09 |
Upload of file types unrestricted |
Low |
n/a |
| SI-7 |
2013-06-04 |
Possible Cross Site Redirect |
Low |
2.5 |
| SI-5 |
2013-06-02 |
XSS possible after admin authentication |
Low |
n/a |
| SI-22 |
2014-04-21 |
Arbitrary URL redirects |
Low |
2.5.4 |