PatchSiren cyber security CVE debrief

CVE-2017-5876 Dotcms CVE debrief

CVE-2017-5876 is a medium-severity cross-site scripting issue affecting dotCMS 3.7.0. According to the NVD record, the flaw can be reached without authentication through the /news-events/events date parameter, and the CVSS vector indicates network access with user interaction required. Public references point to the CVE record, the NVD detail page, a SecurityFocus BID entry, and a dotCMS GitHub issue tracker reference.

Vendor: Dotcms
Product: CVE-2017-5876
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-06
Original CVE updated: 2026-05-13
Advisory published: 2017-02-06
Advisory updated: 2026-05-13

Who should care

dotCMS administrators, application owners, and security teams responsible for public-facing sites running dotCMS 3.7.0 should treat this as relevant. Web security teams should also review any environment where users may be induced to follow links or load content from the affected endpoint.

Technical summary

The supplied NVD data describes an XSS weakness in dotCMS 3.7.0, mapped to CWE-79. The vulnerable surface is the /news-events/events date parameter. NVD assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating remote reachability, no privileges required, and user interaction needed, with limited confidentiality and integrity impact.

Defensive priority

Medium. The issue is publicly documented, unauthenticated, and browser-executable, so it can affect exposed deployments even without account access. Remediate promptly if dotCMS 3.7.0 is still in use, especially on internet-facing instances.

Recommended defensive actions

Inventory dotCMS deployments and confirm whether version 3.7.0 is present.
Treat the /news-events/events endpoint and its date parameter as security-relevant input and verify that it is properly encoded or sanitized in the application path that renders it.
Review application and reverse-proxy logs for unusual requests to the affected endpoint, especially patterns consistent with attempted script injection.
Apply the vendor-recommended remediation if available through dotCMS maintenance channels or upgrade to a non-vulnerable release.
Add or tighten web application controls such as output encoding checks, input validation, and security testing around any page that reflects request parameters into browser content.
If the application is exposed to end users, consider temporary compensating controls such as WAF rules or request filtering while remediation is being deployed.

Evidence notes

The CVE record and NVD detail both identify dotCMS 3.7.0 as vulnerable. The NVD metadata names CWE-79 and provides the CVSS vector. The issue tracker reference from dotCMS and the SecurityFocus BID entry are listed in the source corpus as supporting references. No fixed version or patch hash was provided in the supplied corpus, so remediation guidance is intentionally limited to defensive actions.

Official resources

CVE-2017-5876 CVE record
CVE.org
CVE-2017-5876 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Third Party Advisory

Publicly disclosed in the CVE/NVD record on 2017-02-06. The supplied corpus includes later metadata modification timestamps, but those do not change the original disclosure date.