DoraCMS
by DoraCMS
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-51840 | Cri | 0.64 | 9.8 | 0.01 | Jan 29, 2024 | DoraCMS 2.1.8 is vulnerable to Use of Hard-coded Cryptographic Key. | ||
| CVE-2023-49443 | Cri | 0.64 | 9.8 | 0.01 | Dec 8, 2023 | DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack. | ||
| CVE-2022-35147 | Cri | 0.64 | 9.8 | 0.01 | Aug 17, 2022 | DoraCMS v2.18 and earlier allows attackers to bypass login authentication via a crafted HTTP request. | ||
| CVE-2024-28715 | Hig | 0.57 | 8.8 | 0.01 | Mar 19, 2024 | Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary code via the markdown0 function in the /app/public/apidoc/oas3/wrap-components/markdown.jsx endpoint. | ||
| CVE-2020-18220 | Hig | 0.49 | 7.5 | 0.00 | May 20, 2021 | Weak Encoding for Password in DoraCMS v2.1.1 and earlier allows attackers to obtain sensitive information as it does not use a random salt or IV for its AES-CBC encryption, causes password encrypted for users to be susceptible to dictionary attacks. | ||
| CVE-2023-49444 | Med | 0.35 | 5.4 | 0.01 | Dec 8, 2023 | An arbitrary file upload vulnerability in DoraCMS v2.1.8 allow attackers to execute arbitrary code via uploading a crafted HTML or image file to the user avatar. | ||
| CVE-2022-25464 | Med | 0.31 | 4.8 | 0.00 | Mar 20, 2022 | A stored cross-site scripting (XSS) vulnerability in the component /admin/contenttemp of DoraCMS v2.1.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
- risk 0.64cvss 9.8epss 0.01
DoraCMS 2.1.8 is vulnerable to Use of Hard-coded Cryptographic Key.
- risk 0.64cvss 9.8epss 0.01
DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack.
- risk 0.64cvss 9.8epss 0.01
DoraCMS v2.18 and earlier allows attackers to bypass login authentication via a crafted HTTP request.
- risk 0.57cvss 8.8epss 0.01
Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary code via the markdown0 function in the /app/public/apidoc/oas3/wrap-components/markdown.jsx endpoint.
- risk 0.49cvss 7.5epss 0.00
Weak Encoding for Password in DoraCMS v2.1.1 and earlier allows attackers to obtain sensitive information as it does not use a random salt or IV for its AES-CBC encryption, causes password encrypted for users to be susceptible to dictionary attacks.
- risk 0.35cvss 5.4epss 0.01
An arbitrary file upload vulnerability in DoraCMS v2.1.8 allow attackers to execute arbitrary code via uploading a crafted HTML or image file to the user avatar.
- risk 0.31cvss 4.8epss 0.00
A stored cross-site scripting (XSS) vulnerability in the component /admin/contenttemp of DoraCMS v2.1.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.