Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter. The PaginatorOrdered classes that are used to paginate results of a REST endpoints do not sanitize the orderBy parameter and in some cases it is vulnerable to SQL injection attacks. A user must be an authenticated manager in the dotCMS system to exploit this vulnerability.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Dotcms dotCMS SQL注入漏洞
Vulnerability Description
Dotcms dotCMS是美国dotCMS(Dotcms)公司的一套内容管理系统(CMS)。该系统支持RSS订阅、博客、论坛等模块,并具有易于扩展和构建的特点。 dotCMS 20.10.1之前版本存在SQL注入漏洞,该漏洞源于/api/v1/containers orderby参数。用于对REST端点的结果进行分页的PaginatorOrdered类不会清除orderBy参数,并且在某些情况下,它容易受到SQL注入攻击。要利用这个漏洞,用户必须是dotms系统中经过身份验证的管理员。
CVSS Information
N/A
Vulnerability Type
N/A