Posted by Elar Lang on May 25

Title: CVE-2016-4803 dotCMS – Email Header Injection
Credit: Elar Lang / https://security.elarlang.eu
Vulnerability: Email Header Injection
Vulnerable version: before 3.5 / 3.3.2
CVE: CVE-2016-4803
Vendor: dotCMS (http://dotcms.com/)

# Description
dotCMS has an email sending functionality at path /dotCMS/sendEmail/
Some parameters are vulnerable to Email Header Injection.

# Preconditions
There is no pre-condition on authentication or on…