| SI-67 | 2022-12-15 | Directory Traversal with RCE | Moderate | 22.12+, LTS 21.06.12+, LTS 22.03.4+ |
| SI-66 | 2022-11-30 | Insecure random number generation in password reset token | High | 22.12+, LTS 21.06.12+, LTS 22.03.4+ |
| SI-65 | 2022-08-17 | Possible DOS by overloading the TempFileResource | Low | 22.10+, LTS 21.06.12+, LTS 22.03.4+ |
| SI-64 | 2022-08-25 | TempFileAPI can bypass access restrictions to access private network resources | Moderate | 22.08+, LTS 21.06.12+, LTS 22.03.4+ |
| SI-63 | 2022-03-28 | Matrix URI parameters can expose private assets | Critical | 22.06, 22.03.2, 21.06.9, 5.3.8.12 |
| SI-62 | 2022-03-28 | Multipart File Directory Traversal can lead to remote execution | Critical | 22.03, 5.3.8.10, 21.06.7 |
| SI-61 | 2021-12-20 | Log4j Zero-Day Exploit (CVE-2021-44228) | Critical | 21.12 (see Mitigations for other versions) |
| SI-60 | 2021-12-14 | Server-Side Request Forgery (SSRF) in dotcms/core | Moderate | 21.12 |
| SI-59 | 2021-12-13 | Improper Privilege Management in Velocity | Moderate | 21.12, 5.3.8.4, 21.06.04 |
| SI-58 | 2021-12-10 | log4j2 JNDI Remote Expoit | Critical | 21.06.4 LTS, 5.3.8.6.2 LTS, 21.12 |
| SI-57 | 2021-05-19 | XStream vulnerable to arbitrary execution of code | Critical | 21.05, 5.3.8.5 |
| SI-56 | 2020-10-30 | Authenticated User SQL Injection Vulnerability in api | Moderate | 20.10.1, 5.3.8 LTS |
| SI-55 | 2020-06-05 | Authenticated users may instantiate arbitrary Java objects | Moderate | 5.3.0 |
| SI-54 | 2020-01-09 | Incorrect access control can lead to information disclosure and remote execution | Critical | 5.2.4 |
| SI-53 | 2019-06-06 | SQL Injection Possible By Publisher Role | Moderate | 5.1.6 |
| SI-52 | 2019-05-23 | Reflected XSS Vulnerability in forward_js.jsp | Moderate | 5.2.0 |
| SI-51 | 2019-01-25 | User Privilege Escalation Possible In Velocity Code | Moderate | 5.1.0 |
| SI-50 | 2019-01-24 | Permissive CORS Policy | Low | TBD |
| SI-49 | 2019-01-24 | Reflected XSS Vulnerability in referer_js.jsp | Moderate | 5.1.0 |
| SI-48 | 2019-01-10 | File Upload Vulnerability | Moderate | TBD |
| SI-47 | 2019-01-10 | File Deletion Vulnerability | Moderate | TBD |
| SI-46 | 2019-01-10 | Client Side URL Redirection | Moderate | TBD |
| SI-44 | 2018-10-03 | XSS vulnerability with image tool | Moderate | 5.0.2 |
| SI-43 | 2017-03-12 | Read access to restricted files in Tomcat on Windows | Moderate | n/a |
| SI-42 | 2017-03-09 | Upload of file types unrestricted | Low | n/a |
| SI-41 | 2017-03-09 | Bundle path traversal | Moderate | 3.7.2 |
| SI-40 | 2017-03-09 | Cross-Site Request Forgery (CSRF) | Moderate | Plugin |
| SI-39 | 2017-01-17 | Blind SQL injection | Critical | 3.6.2 |
| SI-38 | 2016-10-31 | Captcha can be programmatically reused by passing session id | Low | 3.6 |
| SI-37 | 2016-07-27 | Insufficient authentication in the CMSMaintenanceAjax class | Critical | 3.3.2, 3.5.1 |
| SI-36 | 2016-04-12 | SQL Injection from Workflow Screen III | Moderate | 3.3.2, 3.5 |
| SI-35 | 2016-04-12 | SQL Injection via REST api | Critical | 3.3.2, 3.5 |
| SI-34 | 2016-04-11 | Directory traversal vulnerability by Admin | Moderate | 3.3.2, 3.5 |
| SI-33 | 2016-04-11 | XSS in Lucene Search Admin tool | Low | 3.3.2, 3.5 |
| SI-32 | 2016-04-04 | SQL Injection via DWR - Requires Authenticated User | Moderate | 3.3.2, 3.5 |
| SI-31 | 2015-11-30 | CSRF Add User | Critical | 3.3 |
| SI-30 | 2015-11-30 | SQL Injection from Workflow Screen II | Critical | 3.3 |
| SI-29 | 2015-11-30 | SSRF Vulnerability in RESTful ContentAPI | Low | 3.3 |
| SI-28 | 2014-09-23 | jsps exposed to non-authenticated users | Moderate | 3 |
| SI-27 | 2014-09-23 | XSS on “page not found .jsp” | Low | 3 |
| SI-26 | 2014-07-17 | CRLF Header Injection vulnerability | Moderate | 3 |
| SI-25 | 2014-04-21 | Password fields with enabled autocomplete | Low | 2.5.4 |
| SI-24 | 2014-04-21 | Missing Cookie Security Attribute “httpOnly” | Low | 2.5.7 |
| SI-23 | 2014-04-21 | HTTP header injection | Moderate | 2.5.4 |
| SI-22 | 2014-04-21 | Arbitrary URL redirects | Low | 2.5.4 |
| SI-21 | 2014-04-21 | Information disclosure through unauthenticated and unused scripts | Critical | 2.5.4 |
| SI-20 | 2014-04-21 | Vulnerabilities in “Comments” feature | Moderate | 2.5.4 |
| SI-19 | 2014-04-21 | Cross Site Scripting filter bypass | Moderate | 2.5.4 |
| SI-18 | 2014-04-21 | Arbitrary Command Execution | Critical | 2.5.4 |
| SI-17 | 2014-04-21 | Forgot Password generates weak password | Critical | 2.5.4 |
| SI-16 | 2013-07-03 | Stored XSS possible in admin tool as authenticated user | Low | 3 |
| SI-15 | 2013-06-18 | AJAX requests without a session ID or other form of authentication | Critical | 2.3.2 |
| SI-14 | 2013-06-18 | XSS Vulnerability on Login Page | Moderate | 2.3.2 |
| SI-13 | 2013-06-10 | Cross Site Request Forgery (XSRF or CSRF) | Low | n/a |
| SI-12 | 2013-06-08 | Possible Clickjacking / no frame busting code in dotCMS admin | Low | 3 |
| SI-11 | 2013-06-07 | Test pages shipped in product | Low | 2.3.2 |
| SI-10 | 2013-06-07 | Insecure Browser Caching | Low | 2.5 |
| SI-9 | 2013-06-05 | Use of Persistent Cookies | Low | n/a |
| SI-8 | 2013-06-05 | SQL Injection from Workflow Screen | Critical | 2.3.2 |
| SI-7 | 2013-06-04 | Possible Cross Site Redirect | Low | 2.5 |
| SI-6 | 2013-06-04 | Cross Domain Scripts Included Within Application | Low | n/a |
| SI-5 | 2013-06-02 | XSS possible after admin authentication | Low | n/a |
| SI-4 | 2012-09-09 | XSS error on the account login page | Moderate | 2.2 |
| SI-3 | 2012-04-12 | dotCMS template permissions allow arbitrary code execution | Moderate | 1.9.5.1 |
| SI-2 | 2011-06-06 | Cookies do not require SSL | Moderate | 2.5.7 |
| SI-1 | 2011-02-06 | Problem with XSS attack on 404 page | Low | 1.9.2 |
/
