PatchSiren cyber security CVE debrief

CVE-2017-5344 Dotcms CVE debrief

CVE-2017-5344 is a critical SQL injection flaw in dotCMS through 3.6.1. The vulnerable findChildrenByFilter() path is reachable through the web-accessible /categoriesServlet endpoint, and the documented SQL escaping and keyword blacklist can be bypassed for the q and inode parameters. Because the endpoint is reachable remotely without authentication in a default deployment, exposure can be high for internet-facing instances.

Vendor: Dotcms
Product: CVE-2017-5344
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-17
Original CVE updated: 2026-05-13
Advisory published: 2017-02-17
Advisory updated: 2026-05-13

Who should care

dotCMS administrators, application owners, and security teams responsible for internet-facing or externally reachable dotCMS deployments through 3.6.1 should treat this as urgent. Database and incident response teams should also care because the flaw can be abused for blind boolean SQL injection and potential data exposure.

Technical summary

NVD classifies the issue as CWE-89 with CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The affected code path performs string interpolation and direct SQL query execution in findChildrenByFilter(), which is invoked by /categoriesServlet. Remediation logic added in SQLUtil for quote escaping and keyword blacklisting is described in the source record as bypassable for the q and inode parameters, leaving blind boolean SQL injection vectors available.

Defensive priority

Immediate. Prioritize patching or otherwise removing exposure of affected dotCMS instances, especially any deployment that exposes /categoriesServlet to untrusted networks.

Recommended defensive actions

Apply the vendor remediation referenced by dotCMS security advisory SI-39 and move affected systems off versions through 3.6.1.
Restrict external access to /categoriesServlet and the broader dotCMS admin/application surface until patched.
Audit application and database logs for unusual /categoriesServlet requests, repeated parameter probing, or signs of blind SQL injection.
Verify all dotCMS instances, including test and legacy systems, because default deployments may expose the vulnerable path remotely without authentication.
Review any custom code, proxy rules, or WAF policies that might still allow direct access to the endpoint or help an attacker iterate on boolean-based SQL injection payloads.

Evidence notes

This debrief is grounded in the supplied NVD record and CVE metadata. The record states the issue affects dotCMS through 3.6.1, is reachable via /categoriesServlet, and can be exploited without authentication in a default deployment. NVD assigns CVSS 3.0 9.8/Critical and CWE-89. The source corpus also includes the vendor advisory reference SI-39 and third-party exploit references, but those are not used here beyond confirming public disclosure context.

Official resources

CVE-2017-5344 CVE record
CVE.org
CVE-2017-5344 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Exploit, Mailing List, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Source reference
[email protected]

Publicly disclosed on 2017-02-17; the NVD record was last modified on 2026-05-13. Timing in this debrief is anchored to the CVE publication date, not the later modification date.