Issues » SQL Injection Possible By Publisher Role

Issue: SI-53
Date: Jun 6, 2019, 3:00:00 AM
Severity: Medium
Requires Admin Access: Yes
Fix Version: 5.1.6
Credit: Johannes Moritz - RIPS TECHNOLOGIES GMBH
Description:

If there are bundles that have not been pushed, it is possible for someone with Publisher permissions to use the view_unpushed_bundles.jsp to inject code into SQL.  

References

https://github.com/dotCMS/core/issues/16624