Lucene search
K
Html-jsDoracms

10 matches found

CVE
CVE
added 2022/03/20 6:34 p.m.84 views

CVE-2022-25464

CVE-2022-25464 is a stored XSS vulnerability in DoraCMS v2.1.8 affecting the component /admin/contenttemp. The issue allows an attacker to inject arbitrary scripts/HTML via a crafted payload. Public details place CVSSv3.1 base score at 4.8 (MEDIUM) with network access, low attack complexity, user...

4.8CVSS4.9AI score0.00435EPSS
CVE
CVE
added 2024/03/19 12:0 a.m.75 views

CVE-2024-28715

CVE-2024-28715 affects DoraCMS v2.18 and earlier. A cross-site scripting issue in the markdown0 function of /app/public/apidoc/oas3/wrap-components/markdown.jsx allows remote attackers to execute arbitrary code. Multiple connected sources confirm this, including Red Hat and PT Security. Mitigatio...

8.8CVSS7.3AI score0.01071EPSS
Web
CVE
CVE
added 2021/05/20 7:55 p.m.67 views

CVE-2020-18220

DoraCMS v2.1.1 and earlier uses AES-CBC without a random salt/IV for password encryption, exposing passwords to dictionary attacks. The issue is documented across multiple sources (CVE-2020-18220) and indicates weak encoding rather than a broader vulnerability. Affected component is the password-...

7.5CVSS7.3AI score0.00412EPSS
CVE
CVE
added 2023/12/08 12:0 a.m.54 views

CVE-2023-49443

CVE-2023-49443 affects DoraCMS v2.1.8. The root cause is re-use of the same code to verify usernames and passwords, enabling brute-force access to the application. Documents describe impact as attacker access via brute force over the network (no user interaction). Mitigation in the sources includ...

9.8CVSS9.5AI score0.00815EPSS
CVE
CVE
added 2022/08/17 8:49 p.m.53 views

CVE-2022-35147

DoraCMS v2.18 and earlier has an authentication bypass vulnerability (CVE-2022-35147). The issue allows an attacker to bypass login via a crafted HTTP request, enabling unauthorized access. Affected software is DoraCMS, versions up to 2.18; root cause involves bypassing authentication logic. Impa...

9.8CVSS9.3AI score0.01256EPSS
CVE
CVE
added 2023/12/08 12:0 a.m.48 views

CVE-2023-49444

CVE-2023-49444 affects DoraCMS v2.1.8. An arbitrary file upload vulnerability exists that allows code execution when a crafted HTML or image file is uploaded to a user avatar. The public description attributes the flaw to a file-upload weakness but does not provide detailed root-cause or affected...

5.4CVSS6.1AI score0.0051EPSS
CVE
CVE
added 2024/01/29 12:0 a.m.48 views

CVE-2023-51840

Affected software: DoraCMS 2.1.8 (Node.js stack with Egg.js and MongoDB, per CNNVD/CVE context). Vulnerability: Use of a hard-coded cryptographic key, leading to exposure of sensitive data and potential tampering. Root cause (as stated): Hard-coded cryptographic key within DoraCMS 2.1.8. Impact (...

9.8CVSS9.3AI score0.00621EPSS
CVE
CVE
added 2018/09/06 7:0 p.m.39 views

CVE-2018-16622

The CVE-2018-16622 entry affects DoraCMS v2.0.3. Affected component: the API endpoint /api/content/addOne (related to users/userAddContent). Technical detail: the description states multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary web script or H...

5.4CVSS5.4AI score0.00788EPSS
Web
CVE
CVE
added 2026/03/09 1:32 a.m.19 views

CVE-2026-3794

Doramart DoraCMS 3.0.x is affected in the Email API component (/api/v1/mail/send) where improper authentication can be exploited remotely. Public exploit available; vendor did not respond to disclosure. Connected sources (CVE listings, Red Hat/EUVD/NVD mirrors, AttackersKB) confirm remote access ...

9.8CVSS6.7AI score0.00653EPSS
CVE
CVE
added 2026/03/09 2:2 a.m.14 views

CVE-2026-3795

CVE-2026-3795 affects doramart DoraCMS 3.0.x. The vulnerability lies in the function createFileBypath in /DoraCMS/server/app/router/api/v1.js, enabling path traversal via manipulation. The attack is remotely initiable, the exploit is public, and vendors have not responded. Multiple sources (NVD, ...

9.8CVSS6.3AI score0.00656EPSS