cbcvebase.
CVE-2025-8311
published 2025-09-04

CVE-2025-8311: dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query…

PriorityP180critical9.4CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.56%
72.1th percentile
dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys. The vulnerability was triggered via the sites parameter, which was directly concatenated into a SQL query without proper sanitization. Exploitation allowed an authenticated attacker with low privileges to extract data from database, perform privilege escalation, or trigger denial-of-service conditions. The vulnerability was verified using tools such as SQLMap and confirmed to allow full database exfiltration and potential denial-of-service conditions via crafted payloads. The vulnerability is fixed in the following versions of dotCMS stack: 25.08.14 / 25.07.10-1v2 LTS / 24.12.27v10 LTS / 24.04.24v21 LTS

Affected

1 ranges
VendorProductVersion rangeFixed in
dotcmsdotcms_cloud_services

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor HTTP GET requests to /api/v1/contenttype where the 'sites' query parameter contains SQL metacharacters such as single quotes, parentheses, or SQL keywords (AND, SELECT, CASE, WHEN, pg_sleep, substring, chr, UNION, RECURSIVE).
  • Alert on requests to /api/v1/contenttype whose 'sites' parameter contains time-delay SQL injection patterns targeting PostgreSQL, specifically 'pg_sleep', 'generate_series', or 'WITH RECURSIVE'.
  • Flag authenticated low-privilege accounts making high-frequency, iterative GET requests to /api/v1/contenttype with varying 'sites' parameter values — characteristic of character-by-character blind SQLi enumeration.
  • Correlate anomalously long HTTP response times (time-based blind SQLi) on GET /api/v1/contenttype with a Bearer token Authorization header — the exploit uses token-based auth and measures elapsed response time to infer data.
  • ·The exploit URL-encodes all payload characters before sending, so WAF/IDS rules must decode percent-encoded values before pattern matching against the 'sites' parameter to avoid bypass.
  • ·The vulnerability affects dotCMS versions 24.03.22 and later; fixed versions are 25.08.14 / 25.07.10-1v2 LTS / 24.12.27v10 LTS / 24.04.24v21 LTS. Detection rules should be scoped to unpatched instances.

CVSS provenance

nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.