CVE-2024-3938

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-3938

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3938.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-3938

Published

2024-07-25T22:15:08.903Z

Modified

2026-04-10T05:13:36.334014Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The "reset password" login page accepted an HTML injection via URL parameters.

This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E

This will result in a view along these lines:

OWASP Top 10 - A03: Injection
CVSS Score: 5.4
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

References

https://www.dotcms.com/security/SI-71

Affected packages

Git / github.com/dotcms/core

Affected ranges

Type

GIT

Repo

https://github.com/dotcms/core

Events

Introduced

ecc5abc7d7615e24c083c41483319e34243211a0

Fixed

976f31730557c1e3f120ee85710e621cfa6c06a9

Introduced

3feb6fa6ebdcf1509252fbf9ee7e53017c8bf96f

Last affected

20de9e9f791d40b6655c3cd506d74fce8fcb4f2d

Introduced

1122a5760e412966e13d35f75436cb6fcd6f5d60

Last affected

703fb5c3d30f99779a10e0f7a1543c17033becd1

Introduced

cc91f975b70b3f77a1b28c51ef504b965baf2896

Fixed

8fac77cf07a65bbd0780f4f029b70d23eee02f5c

Introduced

Last affected

e32f4c872fbd0576ce4587aacaa26cc2995b9ce5

Introduced

Last affected

449022e9c932f0500b8bcba3370740feba87c852

Introduced

Last affected

5374aed6949aa5c6dbac269cc3944c7b79ee0d78

Introduced

Last affected

f02f738fbdb827a4313caac9f376dd16af957fbe

Introduced

Last affected

4ce542de6e940eeb0ced492d69f33fba39c984f2

Introduced

Last affected

2457af35bdc9710d66bc5bf10c34004d104ed5bd

Introduced

Last affected

e26d237d61c9cf0691cb8f093c6c08ee5b47a924

Introduced

Last affected

c5e93f4fd71de3c021ba5cee5b2ffb1b6cbd414f

Introduced

Last affected

1297bb256ca306e00a037b7766644f33cac75cfa

Introduced

Last affected

2be63a56ad7536b23c996adb8f5ea346a9eb5cd1

Introduced

Last affected

faa050464e2bec249af93a7d5c6dbbece123ef27

Introduced

Last affected

a53d05b1f6539db84b140116be4a67af0a7d1950

Introduced

Last affected

d169c8c5baaec246e0bd6d6ab880e0517802d9f1

Introduced

Last affected

2030eb1b178f62713374e0ff7e87caacf7bc1b4c

Introduced

Last affected

423defe5d27d9499c805c5aa7c582a8fbeb58e4f

Introduced

Last affected

de4c9e76227dcd1f6f885d52077f741de4d4de0c

Database specific

{
    "versions": [
        {
            "introduced": "5.1.5"
        },
        {
            "fixed": "23.01.18"
        },
        {
            "introduced": "23.02"
        },
        {
            "last_affected": "23.09.7"
        },
        {
            "introduced": "23.12.21"
        },
        {
            "last_affected": "24.04.23"
        },
        {
            "introduced": "24.05.13"
        },
        {
            "fixed": "24.05.31"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.10.24-1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.10.24-10"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.10.24-2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.10.24-3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.10.24-4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.10.24-5"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.10.24-6"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.10.24-7"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.10.24-8"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.10.24-9"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.10.24.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "24.04.24-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "24.04.24-0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "24.04.24-1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "24.04.24-2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "24.04.24-3"
        }
    ]
}

Affected versions

22.*

22.10.1

3.*

3.0

3.5

3.5_Preview01

3.5_Preview02

3.6.0

pre-release.*

pre-release.07.13.23

pre3.*

pre3.5buildrevert

Other

release_candidate

v23.*

v23.01

v23.01.1

v23.01.10

v23.01.11

v23.01.12

v23.01.13

v23.01.14

v23.01.15

v23.01.16

v23.01.17

v23.01.2

v23.01.3

v23.01.4

v23.01.5

v23.01.6

v23.01.7

v23.01.8

v23.01.9

v23.09-pre

v23.09.7

v23.10.24

v23.10.24_lts_v0

v23.10.24_lts_v1

v23.10.24_lts_v10

v23.10.24_lts_v2

v23.10.24_lts_v3

v23.10.24_lts_v4

v23.10.24_lts_v5

v23.10.24_lts_v6

v23.10.24_lts_v7

v23.10.24_lts_v8

v23.10.24_lts_v9

v24.*

v24.03.22

v24.04.23

v24.04.24

v24.04.24_lts_v0

v24.04.24_lts_v1

v24.04.24_lts_v2

v24.04.24_lts_v3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3938.json"