10 matches found
CVE-2022-25464
CVE-2022-25464 is a stored XSS vulnerability in DoraCMS v2.1.8 affecting the component /admin/contenttemp. The issue allows an attacker to inject arbitrary scripts/HTML via a crafted payload. Public details place CVSSv3.1 base score at 4.8 (MEDIUM) with network access, low attack complexity, user...
CVE-2024-28715
CVE-2024-28715 affects DoraCMS v2.18 and earlier. A cross-site scripting issue in the markdown0 function of /app/public/apidoc/oas3/wrap-components/markdown.jsx allows remote attackers to execute arbitrary code. Multiple connected sources confirm this, including Red Hat and PT Security. Mitigatio...
CVE-2020-18220
DoraCMS v2.1.1 and earlier uses AES-CBC without a random salt/IV for password encryption, exposing passwords to dictionary attacks. The issue is documented across multiple sources (CVE-2020-18220) and indicates weak encoding rather than a broader vulnerability. Affected component is the password-...
CVE-2023-49443
CVE-2023-49443 affects DoraCMS v2.1.8. The root cause is re-use of the same code to verify usernames and passwords, enabling brute-force access to the application. Documents describe impact as attacker access via brute force over the network (no user interaction). Mitigation in the sources includ...
CVE-2022-35147
DoraCMS v2.18 and earlier has an authentication bypass vulnerability (CVE-2022-35147). The issue allows an attacker to bypass login via a crafted HTTP request, enabling unauthorized access. Affected software is DoraCMS, versions up to 2.18; root cause involves bypassing authentication logic. Impa...
CVE-2023-49444
CVE-2023-49444 affects DoraCMS v2.1.8. An arbitrary file upload vulnerability exists that allows code execution when a crafted HTML or image file is uploaded to a user avatar. The public description attributes the flaw to a file-upload weakness but does not provide detailed root-cause or affected...
CVE-2023-51840
Affected software: DoraCMS 2.1.8 (Node.js stack with Egg.js and MongoDB, per CNNVD/CVE context). Vulnerability: Use of a hard-coded cryptographic key, leading to exposure of sensitive data and potential tampering. Root cause (as stated): Hard-coded cryptographic key within DoraCMS 2.1.8. Impact (...
CVE-2018-16622
The CVE-2018-16622 entry affects DoraCMS v2.0.3. Affected component: the API endpoint /api/content/addOne (related to users/userAddContent). Technical detail: the description states multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary web script or H...
CVE-2026-3794
Doramart DoraCMS 3.0.x is affected in the Email API component (/api/v1/mail/send) where improper authentication can be exploited remotely. Public exploit available; vendor did not respond to disclosure. Connected sources (CVE listings, Red Hat/EUVD/NVD mirrors, AttackersKB) confirm remote access ...
CVE-2026-3795
CVE-2026-3795 affects doramart DoraCMS 3.0.x. The vulnerability lies in the function createFileBypath in /DoraCMS/server/app/router/api/v1.js, enabling path traversal via manipulation. The attack is remotely initiable, the exploit is public, and vendors have not responded. Multiple sources (NVD, ...