dotCMS v5.1.1 suffers from an HTML injection and XSS vulnerability, in addition to many other vulnerabilities that I am still verifying.
Here’s a screenshot of HTML injection:
To reproduce this vulnerability, simply go to https://dotcms.com/dotAdmin/ and login with their demo credentials (username: adm[email protected] password: admin) and then visit the following URL:
There are more unconfirmed vulnerabilities in dotCMS.