CVE-2017-5877 Dotcms CVE debrief

Who should care

Teams operating dotCMS 3.7.0 instances, especially public-facing sites that expose the affected /about-us/locations/index endpoint, should treat this as a web application input-validation and output-encoding issue. Security teams responsible for browser-side risk, session exposure, and content integrity should also review it.

Technical summary

The supplied NVD record maps CVE-2017-5877 to dotCMS 3.7.0 and CWE-79 (XSS). The vulnerability description indicates an unauthenticated attack against the /about-us/locations/index direction parameter. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates remote exploitation with no privileges, required user interaction, and potential impact that crosses the browser trust boundary.

Defensive priority

Medium

Recommended defensive actions

• Confirm whether any dotCMS 3.7.0 deployments are still in service and inventory the exposed /about-us/locations/index path.
• Review server-side handling of the direction parameter and other user-controlled inputs for proper validation and output encoding.
• Use the linked vendor/security references to identify any patched release, workaround, or migration guidance.
• Add or verify browser-side mitigations such as a restrictive Content Security Policy where feasible.
• Monitor logs and application telemetry for suspicious query strings or repeated requests targeting the affected endpoint.

Evidence notes

This debrief is based on the supplied NVD CVE record and linked references. NVD lists dotCMS 3.7.0 as the vulnerable CPE and classifies the weakness as CWE-79. The CVSS v3.0 vector provided by NVD is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The supplied corpus does not include a specific fixed version or patch identifier, so remediation guidance is limited to reviewing the official references.

Official resources