CVE-2020-35274

MEDIUM

dotcms 20.11 - Stored Cross-Site Scripting in Admin Panel Template Addition

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-35274. PoCs published by Hardik Solanki.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in DotCMS 20.11 via the Template Title field. The payload executes when navigating to the Template section, confirming persistent script injection.

Description

DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS.

Exploits (1)

exploitdb WORKING POC

by Hardik Solanki · textwebappsmultiple

https://www.exploit-db.com/exploits/49168

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in DotCMS 20.11 via the Template Title field. The payload executes when navigating to the Template section, confirming persistent script injection.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: DotCMS 20.11

Auth required

Prerequisites: admin credentials · access to the DotCMS admin panel

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product x_refsource_misc

http://dotcms.com

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/49168

Scores

CVSS v3 4.8

EPSS 0.0061

EPSS Percentile 44.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

dotcms/dotcms 20.11

Published Dec 21, 2020

Tracked Since Feb 18, 2026