PatchSiren cyber security CVE debrief

CVE-2017-5875 Dotcms CVE debrief

CVE-2017-5875 is an authenticated cross-site scripting (XSS) vulnerability in dotCMS 3.7.0. The issue is tied to the /myAccount addressID parameter and is cataloged by NVD as CWE-79. Because exploitation requires authentication and user interaction, the immediate risk is more targeted than a pre-authentication flaw, but it can still expose user data or alter browser-side behavior within the affected application.

Vendor: Dotcms
Product: CVE-2017-5875
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-06
Original CVE updated: 2026-05-13
Advisory published: 2017-02-06
Advisory updated: 2026-05-13

Who should care

Organizations running dotCMS 3.7.0, especially teams that allow multiple authenticated users, editors, or contributors to access account-related functions. Security teams should also care if dotCMS is used in a public-facing content workflow or if stored user interactions are trusted without strong output handling.

Technical summary

NVD describes the issue as an XSS condition in dotCMS 3.7.0 affecting the /myAccount addressID parameter. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low attack complexity, required low privileges, and required user interaction. The weakness is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).

Defensive priority

Medium priority. The CVSS score is 5.4 (Medium), but remediation should be expedited if the product is still deployed, particularly in environments where authenticated users can share links, view each other's content, or influence account-related pages.

Recommended defensive actions

Confirm whether dotCMS 3.7.0 is deployed anywhere in your environment.
Review vendor and project references for a fixed release or supported upgrade path before restoring or exposing the affected instance.
Treat /myAccount and any parameter handling around addressID as high-risk input paths and verify that output encoding and server-side validation are in place.
Restrict authenticated access to only the minimum necessary roles until remediation is complete.
Scan for similar reflected or stored XSS patterns across other dotCMS account and profile-related endpoints.
If mitigation cannot be applied immediately, reduce exposure by limiting who can access the application and by monitoring for unusual account-page activity.

Evidence notes

The NVD record lists dotCMS 3.7.0 as vulnerable and assigns CWE-79 with CVSS 3.0 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The supplied CVE description states the attack targets the /myAccount addressID parameter and requires authentication. Linked references include a SecurityFocus BID entry and a dotCMS GitHub issue reference, both of which support the reported vulnerability context.

Official resources

CVE-2017-5875 CVE record
CVE.org
CVE-2017-5875 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Third Party Advisory

Publicly disclosed via the CVE/NVD record on 2017-02-06; the NVD entry was last modified on 2026-05-13.