These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2022-26352 is a dotCMS unrestricted file upload vulnerability that CISA placed in its Known Exploited Vulnerabilities catalog on 2022-08-25. Because CISA also marked it as having known ransomware campaign use, organizations running dotCMS should treat this as an urgent remediation item and follow vendor update guidance without delay.
CVE-2017-5344 is a critical SQL injection flaw in dotCMS through 3.6.1. The vulnerable findChildrenByFilter() path is reachable through the web-accessible /categoriesServlet endpoint, and the documented SQL escaping and keyword blacklist can be bypassed for the q and inode parameters. Because the endpoint is reachable remotely without authentication in a default deployment, exposure can be high for intern [truncated]
CVE-2017-5877 describes a cross-site scripting (XSS) issue in dotCMS 3.7.0 that can be triggered without authentication through the /about-us/locations/index direction parameter. Because the flaw is reachable over the network and requires user interaction, it can be used to execute attacker-supplied script in a victim’s browser on affected deployments. NVD classifies the issue as CVSS v3.0 6.1 (MEDIUM) wi [truncated]
CVE-2017-5876 is a medium-severity cross-site scripting issue affecting dotCMS 3.7.0. According to the NVD record, the flaw can be reached without authentication through the /news-events/events date parameter, and the CVSS vector indicates network access with user interaction required. Public references point to the CVE record, the NVD detail page, a SecurityFocus BID entry, and a dotCMS GitHub issue trac [truncated]
CVE-2017-5875 is an authenticated cross-site scripting (XSS) vulnerability in dotCMS 3.7.0. The issue is tied to the /myAccount addressID parameter and is cataloged by NVD as CWE-79. Because exploitation requires authentication and user interaction, the immediate risk is more targeted than a pre-authentication flaw, but it can still expose user data or alter browser-side behavior within the affected application.