1. CVE-Search
  2. CVE-2016-4803
ID CVE-2016-4803
Summary CRLF injection vulnerability in the send email functionality in dotCMS before 3.3.2 allows remote attackers to inject arbitrary email headers via CRLF sequences in the subject. <a href="https://cwe.mitre.org/data/definitions/93.html">CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')</a>
References
Vulnerable Configurations
  • cpe:2.3:a:dotcms:dotcms:1.9:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:1.9:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:1.9.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:1.9.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:1.9.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:1.9.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.1:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.2:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.3:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.5:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:2.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:2.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:3.1:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:3.2:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:3.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:3.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:3.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:3.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:3.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:3.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:3.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:3.3:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:dotcms:dotcms:3.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:dotcms:dotcms:3.3.1:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 28-11-2016 - 20:21)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:N
refmap via4
bid 91529
confirm https://dotcms.com/docs/latest/change-log#release-3.3.2
fulldisc 20160525 CVE-2016-4803 dotCMS - Email Header Injection
misc https://security.elarlang.eu/cve-2016-4803-dotcms-email-header-injection-vulnerability-full-disclosure.html
Last major update 28-11-2016 - 20:21
Published 30-06-2016 - 17:59
Last modified 28-11-2016 - 20:21
Back to Top