SQL Injection Vulnerability in dotCMS Product by dotCMS
CVE-2016-4040

7.2HIGH

Key Information:

Vendor

Dotcms

Status
Dotcms
Vendor
CVE Published:
19 April 2016

What is CVE-2016-4040?

A SQL injection vulnerability exists in the Workflow Screen of dotCMS prior to version 3.3.2. This flaw allows remote administrators to manipulate SQL queries by exploiting the orderby parameter, which can lead to unauthorized execution of arbitrary SQL commands. Attackers could leverage this vulnerability to gain access to sensitive data or alter database information, posing significant security risks.

References

https://github.com/dotCMS/core/issues/8840
x_refsource_CONFIRM
http://dotcms.com/security/SI-36
x_refsource_CONFIRM
https://github.com/dotCMS/core/commit/bc4db5d71dc67015572...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability Reserved

  • Vulnerability published

JSON
.