Vulners
Lucene search
dotCMS 3.x SQL Injection
| Reporter | Title | Published | Views | Family All 54 |
|---|---|---|---|---|
 | dotCMS 3.x SQL Injection Vulnerability | 2 Nov 201600:00 | – | zdt |
 | DotCMS Workflow Screen SQL Injection Vulnerability | 20 Apr 201600:00 | – | cnvd |
| DotCMS SQL Injection Vulnerability (CNVD-2016-11001) | 10 Nov 201600:00 | – | cnvd |
| DotCMS SQL Injection Vulnerability (CNVD-2016-11002) | 10 Nov 201600:00 | – | cnvd |
| DotCMS SQL Injection Vulnerability (CNVD-2016-11003) | 10 Nov 201600:00 | – | cnvd |
| DotCMS SQL Injection Vulnerability (CNVD-2016-11004) | 10 Nov 201600:00 | – | cnvd |
| DotCMS SQL Injection Vulnerability (CNVD-2016-11005) | 10 Nov 201600:00 | – | cnvd |
| DotCMS SQL Injection Vulnerability (CNVD-2016-11006) | 10 Nov 201600:00 | – | cnvd |
| DotCMS SQL Injection Vulnerability (CNVD-2016-11007) | 10 Nov 201600:00 | – | cnvd |
 | CVE-2016-4040 | 19 Apr 201614:00 | – | cve |
10
`Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE)
Credit: Elar Lang / https://security.elarlang.eu
Vendor/Product: dotCMS (http://dotcms.com/)
Vulnerability: SQL injection
Vulnerable version: before 3.5; 3.3.1 and 3.3.2 (depends on CVE)
CVE: CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905,
CVE-2016-8906, CVE-2016-8907, CVE-2016-8908, CVE-2016-4040
# Multiple SQL injections in dotCMS framework.
## CVE-2016-8902 - categoriesServlet, sort
SQL injection vulnerability in the categoriesServlet in dotCMS before
3.3.1 allows remote not authenticated attackers to execute arbitrary
SQL commands via the sort parameter.
Preconditions: None. No authentication needed.
Proof-of-Concept URL, vulnerable parameter is "sort":
/categoriesServlet?start=0&count=10&sort=SQLi
## CVE-2016-8903 - "Templates pages", _EXT_13_orderby
SQL injection vulnerability in the "Site Browser > Templates pages"
screen in dotCMS before 3.3.1 allows remote authenticated attackers to
execute arbitrary SQL commands via the _EXT_13_orderby parameter.
Preconditions: attacker must be authenticated.
Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Templates
pages", click on some column title in the resultset table):
/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_13&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_13_struts_action=%2Fext%2Ftemplates%2Fview_templates&_EXT_13_pageNumber=1&_EXT_13_orderby=SQLi
## CVE-2016-8904 - "Containers pages", _EXT_12_orderby
SQL injection vulnerability in the "Site Browser > Containers pages"
screen in dotCMS before 3.3.1 allows remote authenticated attackers to
execute arbitrary SQL commands via the _EXT_12_orderby parameter.
Preconditions: attacker must be authenticated.
Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Containers
pages", click on some column title in the resultset table):
/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_12&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_12_struts_action=%2Fext%2Fcontainers%2Fview_containers&_EXT_12_pageNumber=1&_EXT_12_orderby=SQLi
## CVE-2016-8905 - JSONTags servlet, sort
SQL injection vulnerability in the JSONTags servlet in dotCMS before
3.3.1 allows remote authenticated attackers to execute arbitrary SQL
commands via the sort parameter.
Preconditions: attacker must be authenticated.
Proof-of-Concept
/JSONTags?start=0&count=10&sort=tagname SQLi
## CVE-2016-8906 - "Links pages", _EXT_18_orderby
SQL injection vulnerability in the "Site Browser > Links page" screen
in dotCMS before 3.3.1 allows remote authenticated attackers to
execute arbitrary SQL commands via the _EXT_18_orderby parameter.
Preconditions: attacker must be authenticated.
Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Links
pages", click on some column title in the resultset table):
/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_18&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_18_struts_action=%2Fext%2Flinks%2Fview_links&_EXT_18_pageNumber=1&_EXT_18_orderby=SQLi
## CVE-2016-8907 - "Content Types", _EXT_STRUCTURE_orderBy and
_EXT_STRUCTURE_direction
SQL injection vulnerability in the "Content Types > Content Types"
screen in dotCMS before 3.3.1 allows remote authenticated attackers to
execute arbitrary SQL commands via the _EXT_STRUCTURE_orderBy and
_EXT_STRUCTURE_direction parameters.
Preconditions: attacker must be authenticated.
Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content
Types", click on some column title in the resultset table)
/c/portal/layout?p_l_id=56fedb43-dbbf-4ce2-8b77-41fb73bad015&p_p_id=EXT_STRUCTURE&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_STRUCTURE_struts_action=%2Fext%2Fstructure%2Fview_structure&_EXT_STRUCTURE_orderBy=SQLi&_EXT_STRUCTURE_direction=SQLi
## CVE-2016-8908 - "HTML pages", _EXT_15_orderby
SQL injection vulnerability in the "Site Browser > HTML pages" screen
in dotCMS before 3.3.1 allows remote authenticated attackers to
execute arbitrary SQL commands via the _EXT_15_orderby parameter.
Preconditions: attacker must be authenticated.
Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > HTML
pages", click on some column title in the resultset table):
/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_15&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_15_struts_action=%2Fext%2Fhtmlpages%2Fview_htmlpages&_EXT_15_orderby=modDate,SQLi&_EXT_15_pageNumber=1
## CVE-2016-4040 - "Workflow", _EXT_15_orderby
SQL injection vulnerability in the "Workflow Screen" in dotCMS before
3.3.2 allows remote administrators to execute arbitrary SQL commands
via the _EXT_15_orderby parameter.
Preconditions: attacker must be authenticated.
Proof-of-Concept URL (from "Admin Site" UI: "Home > Workflow tasks",
click on some column title in the resultset table)
/html/portlet/ext/workflows/view_tasks_list.jsp?schemeId=&assignedTo=&createdBy=&stepId=&open=false&closed=true&keywords=&orderBy=SQLi&count=1&page=1
# Vulnerability Disclosure Timeline
2015-12-14 | me > dotCMS | 8 SQL injection vulnerabilities
2015-12-14 | dotCMS > me | they were planning fixes in upcoming
release, estimated to beginning of 2016
2016-03-16 | dotCMS | dotCMS version 3.3.1 release (CVE-2016-4040
still not fixed)
2016-04-07 | me > dotCMS | what is the situation with reported vulnerabilities?
2016-04-07 | dotCMS > me | CVE-2016-4040 will be fixed in 3.5, which
is estimated to be out in mid-April
2016-04-19 | dotCMS | dotCMS version 3.5 release
2016-05-10 | dotCMS | dotCMS version 3.3.2 release
2016-10-31 | me | Full Disclosure on http://security.elarlang.eu
# Related fixes and releases
https://dotcms.com/docs/latest/change-log#release-3.3.1
https://dotcms.com/docs/latest/change-log#release-3.5
https://dotcms.com/docs/latest/change-log#release-3.3.2
--
Elar Lang
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Nov 2016 00:00Current
7.8High risk
Vulners AI Score7.8
EPSS0.02036