{"id":"CVE-2024-3938","details":"The \"reset password\" login page accepted an HTML injection via URL parameters.\n\nThis has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a  http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E \n\nThis will result in a view along these lines:\n\n\n\n\n\n  *  OWASP Top 10 - A03: Injection\n  *  CVSS Score: 5.4\n  *   AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator \n  *   https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator","modified":"2026-04-10T05:13:36.334014Z","published":"2024-07-25T22:15:08.903Z","references":[{"type":"ADVISORY","url":"https://www.dotcms.com/security/SI-71"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dotcms/core","events":[{"introduced":"ecc5abc7d7615e24c083c41483319e34243211a0"},{"fixed":"976f31730557c1e3f120ee85710e621cfa6c06a9"},{"introduced":"3feb6fa6ebdcf1509252fbf9ee7e53017c8bf96f"},{"last_affected":"20de9e9f791d40b6655c3cd506d74fce8fcb4f2d"},{"introduced":"1122a5760e412966e13d35f75436cb6fcd6f5d60"},{"last_affected":"703fb5c3d30f99779a10e0f7a1543c17033becd1"},{"introduced":"cc91f975b70b3f77a1b28c51ef504b965baf2896"},{"fixed":"8fac77cf07a65bbd0780f4f029b70d23eee02f5c"},{"introduced":"0"},{"last_affected":"e32f4c872fbd0576ce4587aacaa26cc2995b9ce5"},{"introduced":"0"},{"last_affected":"449022e9c932f0500b8bcba3370740feba87c852"},{"introduced":"0"},{"last_affected":"5374aed6949aa5c6dbac269cc3944c7b79ee0d78"},{"introduced":"0"},{"last_affected":"f02f738fbdb827a4313caac9f376dd16af957fbe"},{"introduced":"0"},{"last_affected":"4ce542de6e940eeb0ced492d69f33fba39c984f2"},{"introduced":"0"},{"last_affected":"2457af35bdc9710d66bc5bf10c34004d104ed5bd"},{"introduced":"0"},{"last_affected":"e26d237d61c9cf0691cb8f093c6c08ee5b47a924"},{"introduced":"0"},{"last_affected":"c5e93f4fd71de3c021ba5cee5b2ffb1b6cbd414f"},{"introduced":"0"},{"last_affected":"1297bb256ca306e00a037b7766644f33cac75cfa"},{"introduced":"0"},{"last_affected":"2be63a56ad7536b23c996adb8f5ea346a9eb5cd1"},{"introduced":"0"},{"last_affected":"faa050464e2bec249af93a7d5c6dbbece123ef27"},{"introduced":"0"},{"last_affected":"a53d05b1f6539db84b140116be4a67af0a7d1950"},{"introduced":"0"},{"last_affected":"d169c8c5baaec246e0bd6d6ab880e0517802d9f1"},{"introduced":"0"},{"last_affected":"2030eb1b178f62713374e0ff7e87caacf7bc1b4c"},{"introduced":"0"},{"last_affected":"423defe5d27d9499c805c5aa7c582a8fbeb58e4f"},{"introduced":"0"},{"last_affected":"de4c9e76227dcd1f6f885d52077f741de4d4de0c"}],"database_specific":{"versions":[{"introduced":"5.1.5"},{"fixed":"23.01.18"},{"introduced":"23.02"},{"last_affected":"23.09.7"},{"introduced":"23.12.21"},{"last_affected":"24.04.23"},{"introduced":"24.05.13"},{"fixed":"24.05.31"},{"introduced":"0"},{"last_affected":"23.10.24-1"},{"introduced":"0"},{"last_affected":"23.10.24-10"},{"introduced":"0"},{"last_affected":"23.10.24-2"},{"introduced":"0"},{"last_affected":"23.10.24-3"},{"introduced":"0"},{"last_affected":"23.10.24-4"},{"introduced":"0"},{"last_affected":"23.10.24-5"},{"introduced":"0"},{"last_affected":"23.10.24-6"},{"introduced":"0"},{"last_affected":"23.10.24-7"},{"introduced":"0"},{"last_affected":"23.10.24-8"},{"introduced":"0"},{"last_affected":"23.10.24-9"},{"introduced":"0"},{"last_affected":"23.10.24.0"},{"introduced":"0"},{"last_affected":"24.04.24-NA"},{"introduced":"0"},{"last_affected":"24.04.24-0"},{"introduced":"0"},{"last_affected":"24.04.24-1"},{"introduced":"0"},{"last_affected":"24.04.24-2"},{"introduced":"0"},{"last_affected":"24.04.24-3"}]}}],"versions":["22.10.1","3.0","3.5","3.5_Preview01","3.5_Preview02","3.6.0","pre-release.07.13.23","pre3.5buildrevert","release_candidate","v23.01","v23.01.1","v23.01.10","v23.01.11","v23.01.12","v23.01.13","v23.01.14","v23.01.15","v23.01.16","v23.01.17","v23.01.2","v23.01.3","v23.01.4","v23.01.5","v23.01.6","v23.01.7","v23.01.8","v23.01.9","v23.09-pre","v23.09.7","v23.10.24","v23.10.24_lts_v0","v23.10.24_lts_v1","v23.10.24_lts_v10","v23.10.24_lts_v2","v23.10.24_lts_v3","v23.10.24_lts_v4","v23.10.24_lts_v5","v23.10.24_lts_v6","v23.10.24_lts_v7","v23.10.24_lts_v8","v23.10.24_lts_v9","v24.03.22","v24.04.23","v24.04.24","v24.04.24_lts_v0","v24.04.24_lts_v1","v24.04.24_lts_v2","v24.04.24_lts_v3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3938.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}