CRITICAL🇵🇱 Wersja polska

CVE-2023-49443

CVSS 9.8v3.1pub. 2023-12-08upd. 2024-11-21

DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack.

🤖 AI Analysis
How it works

DoraCMS v2.1.8 reuses the same verification code when validating username and password, instead of generating a new code for each login attempt. This mechanism (CWE-307 – lack of restrictions on excessive authentication attempts) allows an attacker to make multiple login attempts without invalidating the verification code. As a result, automated mass testing of authentication credentials using brute-force method is possible.

Impact

An attacker can gain unauthorized access to a user or administrator account of the application, potentially resulting in complete system takeover and violation of data confidentiality, integrity, and availability.

Mitigation & patch

Patches available from the vendor should be applied according to references. Additionally, it is recommended to implement mechanisms limiting login attempts (e.g., account lockout after a specified number of failed attempts, CAPTCHA, rate limiting) and enforce generation of a new verification code after each authentication attempt.

Who is affected

DoraCMS v2.1.8

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Html Js Doracms

    APP
    Html-Js
    2.1.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-51840CRITICAL9.8PL ✓ten sam produkt

DoraCMS 2.1.8 — użycie zakodowanego na stałe klucza kryptograficznego

CVE-2022-35147CRITICAL9.8ten sam produkt

DoraCMS v2.18 and earlier allows attackers to bypass login authentication via a crafted HTTP request.

CVE-2024-28715HIGH8.8ten sam produkt

Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary ...

CVE-2020-18220HIGH7.5ten sam produkt

Weak Encoding for Password in DoraCMS v2.1.1 and earlier allows attackers to obtain sensitive information as i...

CVE-2026-3794MEDIUM5.5ten sam produkt

A vulnerability was identified in doramart DoraCMS 3.0.x. This issue affects some unknown processing of the fi...