Description

SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.

Remediation

References

CVE-2016-8906

Related Vulnerabilities

Moodle Improper Access Control Vulnerability (CVE-2016-8642)

WordPress Plugin WP Spell Check Cross-Site Request Forgery (7.1.9)

Zenphoto Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-44449)

SugarCRM Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2019-17297)

MySQL CVE-2024-21056 Vulnerability (CVE-2024-21056)

Severity

High

Classification

CVE-2016-8906 CWE-138 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities