Wezell

**Name of the Vulnerable Software and Affected Versions** dotCMS versions prior to 3.3.2 **Description** The issue allows remote administrators to execute arbitrary SQL commands. This is achieved via the `orderby` parameter in the Workflow Screen. **Recommendations** For versions prior to 3.3.2, update to version 3.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Workflow Screen or avoiding the use of the `orderby` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** dotCMS versions prior to 2.3.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the ` loginUserName` parameter to the "application/login/login.html" endpoint, the `my account login` parameter to the "c/portal public/login" endpoint, or the `email` parameter to the "forgotPassword" endpoint. **Recommendations** For versions prior to 2.3.2, update to version 2.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable endpoints until a patch is applied. Avoid using the ` loginUserName`, `my account login`, and `email` parameters in the affected endpoints until the issue is resolved.