SQL Injection Vulnerability in dotCMS Before Version 3.3.1
CVE-2016-8904

8.8HIGH

Key Information:

Vendor

Dotcms

Status
Dotcms
Vendor
CVE Published:
14 November 2016

What is CVE-2016-8904?

An SQL injection vulnerability exists in the 'Site Browser > Containers pages' screen of dotCMS versions prior to 3.3.1. This flaw enables remote authenticated attackers to manipulate SQL queries through the 'orderby' parameter, leading to the potential execution of arbitrary SQL commands. This could compromise the integrity of the database and expose sensitive information, making it critical for users to upgrade to the latest versions and secure their installations.

References

https://github.com/dotCMS/core/pull/8460/
x_refsource_MISC
http://www.securityfocus.com/bid/94311
vdb-entryx_refsource_BID
http://seclists.org/fulldisclosure/2016/Nov/0
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.