Vulnerability Description
SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter.
CVSS Score
9.8
CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dotcms | Dotcms | <= 3.3 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2016/Nov/0Third Party Advisory
- http://www.securityfocus.com/bid/94311Technical DescriptionVDB Entry
- https://github.com/dotCMS/core/pull/8460/PatchVendor Advisory
- https://github.com/dotCMS/core/pull/8468/PatchVendor Advisory
- https://security.elarlang.eu/multiple-sql-injection-vulnerabilities-in-dotcms-8xExploitThird Party Advisory
- http://seclists.org/fulldisclosure/2016/Nov/0Third Party Advisory
- http://www.securityfocus.com/bid/94311Technical DescriptionVDB Entry
- https://github.com/dotCMS/core/pull/8460/PatchVendor Advisory
- https://github.com/dotCMS/core/pull/8468/PatchVendor Advisory
- https://security.elarlang.eu/multiple-sql-injection-vulnerabilities-in-dotcms-8xExploitThird Party Advisory
FAQ
What is CVE-2016-8902?
CVE-2016-8902 is a vulnerability with a CVSS score of 9.8 (CRITICAL). SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter.
How severe is CVE-2016-8902?
CVE-2016-8902 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-8902?
Check the references section above for vendor advisories and patch information. Affected products include: Dotcms Dotcms.