Boolean-Based Blind SQL Injection in dotCMS by dotCMS
CVE-2025-8311

5.5MEDIUM

Key Information:

Vendor: Dotcms
Status: Dotcms Cloud Services (dcs)
Vendor: CVE Published:; 4 September 2025

What is CVE-2025-8311?

The identified vulnerability allows authenticated attackers with minimal privileges to exploit a Boolean-based blind SQL injection through the /api/v1/contenttype endpoint of dotCMS. By manipulating the sites query parameter, it is possible to inject malicious SQL code, leading to unauthorized data extraction and potentially enabling denial-of-service conditions. The flaw arises from the inadequate sanitization of user inputs before they are concatenated into SQL queries. Security assessments using tools like SQLMap have confirmed this risk, underscoring the critical need for prompt updates to secure affected installations.

Affected Version(s)

dotCMS Cloud Services (dCS) 24.03.22+

References

https://dev.dotcms.com/docs/known-security-issues?issueNu...

vendor-advisoryissue-trackingrelated

CVSS V4

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 4, 2025
Vulnerability Reserved
Jul 29, 2025

Dotcms

What is CVE-2025-8311?

Affected Version(s)

References

CVSS V4

Timeline