CRITICAL🇵🇱 Wersja polska

CVE-2025-70841

CVSS 10.0v3.1pub. 2026-02-03upd. 2026-02-11

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system.

🤖 AI Analysis
How it works

An attacker sends an unauthenticated HTTP GET request to /script/.env on the application server. This file is not properly protected against public access and returns the Laravel environment configuration contents in the response. The exposed file contains the application encryption key (APP_KEY), database access credentials, SMTP credentials, SendGrid API keys, and internal configuration parameters. Possessing the APP_KEY, an attacker can forge session tokens and bypass authentication mechanisms (authentication bypass via session token forgery), gain direct access to the database, and take over the mail infrastructure.

Impact

An attacker can completely take over the system: gain access to data of all tenants in the multi-tenancy architecture, impersonate any user through session token forgery, read and modify the entire database, and take control of the email infrastructure. Due to the multi-tenant architecture, the breach affects all clients using the platform simultaneously.

Mitigation & patch

Apply patches available from the vendor according to the references. Until the fix is implemented, it is recommended to immediately block access to the /script/.env file at the web server level (e.g., deny rules in nginx/Apache configuration), rotate all exposed secrets (APP_KEY, database passwords, SMTP/SendGrid API keys), and audit access logs to determine whether the file has already been downloaded by unauthorized parties.

Who is affected

Dokans Multi-Tenancy Based eCommerce Platform SaaS version 3.9.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
  • Amcoders Dokans

    APP
    Amcoders
    3.9.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References