CRITICAL🇵🇱 Wersja polska

CVE-2023-51840

CVSS 9.8v3.1pub. 2024-01-29upd. 2025-05-29

DoraCMS 2.1.8 is vulnerable to Use of Hard-coded Cryptographic Key.

🤖 AI Analysis
How it works

The cryptographic key is embedded directly in the source code of the DoraCMS application, which means that each instance of the software uses an identical, publicly available or easily readable secret. An attacker, knowing this key, can forge session tokens, sign malicious data, or otherwise bypass authentication and authorization mechanisms. The vulnerability severity (CVSS 9.8) indicates that the attack can be carried out remotely without authentication and without any user interaction.

Impact

An attacker can gain full control over the application — read and modify protected data (C:H, I:H) and cause service unavailability (A:H), which corresponds to maximum impact in all three security areas.

Mitigation & patch

Patches available from the vendor should be applied according to the references. It is recommended to update DoraCMS as soon as possible to a version where the cryptographic key is generated individually per instance, and immediately change all keys and secrets in production deployments based on version 2.1.8.

Who is affected

DoraCMS version 2.1.8 (Html-Js DoraCMS)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Html Js Doracms

    APP
    Html-Js
    2.1.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-49443CRITICAL9.8PL ✓ten sam produkt

DoraCMS – podatność na atak brute-force przez ponowne użycie kodu weryfikacyjnego

CVE-2022-35147CRITICAL9.8ten sam produkt

DoraCMS v2.18 and earlier allows attackers to bypass login authentication via a crafted HTTP request.

CVE-2024-28715HIGH8.8ten sam produkt

Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary ...

CVE-2020-18220HIGH7.5ten sam produkt

Weak Encoding for Password in DoraCMS v2.1.1 and earlier allows attackers to obtain sensitive information as i...

CVE-2026-3794MEDIUM5.5ten sam produkt

A vulnerability was identified in doramart DoraCMS 3.0.x. This issue affects some unknown processing of the fi...