VYPR

DoraCMS

by DoraCMS

CVEs (7)

  • CVE-2023-51840CriJan 29, 2024
    risk 0.64cvss 9.8epss 0.01

    DoraCMS 2.1.8 is vulnerable to Use of Hard-coded Cryptographic Key.

  • CVE-2023-49443CriDec 8, 2023
    risk 0.64cvss 9.8epss 0.01

    DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack.

  • CVE-2022-35147CriAug 17, 2022
    risk 0.64cvss 9.8epss 0.01

    DoraCMS v2.18 and earlier allows attackers to bypass login authentication via a crafted HTTP request.

  • CVE-2024-28715HigMar 19, 2024
    risk 0.57cvss 8.8epss 0.01

    Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary code via the markdown0 function in the /app/public/apidoc/oas3/wrap-components/markdown.jsx endpoint.

  • CVE-2020-18220HigMay 20, 2021
    risk 0.49cvss 7.5epss 0.00

    Weak Encoding for Password in DoraCMS v2.1.1 and earlier allows attackers to obtain sensitive information as it does not use a random salt or IV for its AES-CBC encryption, causes password encrypted for users to be susceptible to dictionary attacks.

  • CVE-2023-49444MedDec 8, 2023
    risk 0.35cvss 5.4epss 0.01

    An arbitrary file upload vulnerability in DoraCMS v2.1.8 allow attackers to execute arbitrary code via uploading a crafted HTML or image file to the user avatar.

  • CVE-2022-25464MedMar 20, 2022
    risk 0.31cvss 4.8epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the component /admin/contenttemp of DoraCMS v2.1.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.