CVE-2020-27848
N/A
N/A
Summary
dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter. The PaginatorOrdered classes that are used to paginate results of a REST endpoints do not sanitize the orderBy parameter and in some cases it is vulnerable to SQL injection attacks. A user must be an authenticated manager in the dotCMS system to exploit this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/dotCMS/core/issues/19500
- https://github.com/dotCMS/core/compare/v5.3.8.1…v20.10.1
References
- https://github.com/dotCMS/core/issues/19500
- https://github.com/dotCMS/core/compare/v5.3.8.1…v20.10.1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.