CVE-2025-8311
published 2025-09-04CVE-2025-8311: dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query…
PriorityP180critical9.4CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.56%
72.1th percentile
dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys.
The vulnerability was triggered via the sites parameter, which was directly concatenated into a SQL query without proper sanitization.
Exploitation allowed an authenticated attacker with low privileges to extract data from database, perform privilege escalation, or trigger denial-of-service conditions.
The vulnerability was verified using tools such as SQLMap and confirmed to allow full database exfiltration and potential denial-of-service conditions via crafted payloads.
The vulnerability is fixed in the following versions of dotCMS stack: 25.08.14 / 25.07.10-1v2 LTS / 24.12.27v10 LTS / 24.04.24v21 LTS
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dotcms | dotcms_cloud_services | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /api/v1/contenttype where the 'sites' query parameter contains SQL metacharacters such as single quotes, parentheses, or SQL keywords (AND, SELECT, CASE, WHEN, pg_sleep, substring, chr, UNION, RECURSIVE). ↗
- →Alert on requests to /api/v1/contenttype whose 'sites' parameter contains time-delay SQL injection patterns targeting PostgreSQL, specifically 'pg_sleep', 'generate_series', or 'WITH RECURSIVE'. ↗
- →Flag authenticated low-privilege accounts making high-frequency, iterative GET requests to /api/v1/contenttype with varying 'sites' parameter values — characteristic of character-by-character blind SQLi enumeration. ↗
- →Correlate anomalously long HTTP response times (time-based blind SQLi) on GET /api/v1/contenttype with a Bearer token Authorization header — the exploit uses token-based auth and measures elapsed response time to infer data. ↗
- ·The exploit URL-encodes all payload characters before sending, so WAF/IDS rules must decode percent-encoded values before pattern matching against the 'sites' parameter to avoid bypass. ↗
- ·The vulnerability affects dotCMS versions 24.03.22 and later; fixed versions are 25.08.14 / 25.07.10-1v2 LTS / 24.12.27v10 LTS / 24.04.24v21 LTS. Detection rules should be scoped to unpatched instances. ↗
CVSS provenance
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9qw9-jx9r-5rcc: dotCMS versions 24
ghsa_unreviewed·2025-09-04
CVE-2025-8311 [MEDIUM] CWE-89 GHSA-9qw9-jx9r-5rcc: dotCMS versions 24
dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys.
The vulnerability was triggered via the sites parameter, which was directly concatenated into a SQL query without proper sanitization.
Exploitation allowed an authenticated attacker with low privileges to extract data from database, perform privilege escalation, or trigger denial-of-service conditions.
The vulnerability was verified using tools such as SQLMap and confirmed to allow full database exfiltration and potential denial-of-service conditions via crafted payloads.
The vulnerability is fixed in the following versions of dotCMS stack: 25.08.14 / 2
VulnCheck
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2025·CVSS 9.4
CVE-2025-8311 [CRITICAL] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys.
The vulnerability was triggered via the sites parameter, which was directly concatenated into a SQL query without proper sanitization.
Exploitation allowed an authenticated attacker with low privileges to extract data from database, perform privilege escalation, or trigger denial-of-service conditions.
The vulnerability was verified using tools such as SQLMap and confirmed to allow full database exfiltration and potential denial-of-service conditions via crafted payload
No detection rules found.
No writeups or analysis indexed.
2025-09-04
Published
Exploited in the wild