CVE-2016-8902

9.8 CRITICAL

Published: November 14, 2016 Modified: May 06, 2026

Description

SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://seclists.org/fulldisclosure/2016/Nov/0

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/bid/94311

Source: cve@mitre.org

Technical Description VDB Entry

https://github.com/dotCMS/core/pull/8460/

Source: cve@mitre.org

Patch Vendor Advisory

https://github.com/dotCMS/core/pull/8468/

Source: cve@mitre.org

Patch Vendor Advisory

https://security.elarlang.eu/multiple-sql-injection-vulnerabilities-in-dotcms-8x-cve-full-disclosure.html

Source: cve@mitre.org

Exploit Third Party Advisory

http://seclists.org/fulldisclosure/2016/Nov/0