10

CVE-2025-70841

Exploit

EPSS 0.09%
Veröffentlicht 03.02.2026 00:00:00
Zuletzt bearbeitet 11.02.2026 15:58:31
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Amcoders ≫ Dokans Version3.9.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.249

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cve@mitre.org	10	3.9	5.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://codecanyon.net/item/dokans-multitenancy-based-ecommerce-platform-saas/31122915

Product

https://github.com/cod3rLucas/security-advisories/blob/main/CVE-2025-70841.md

Third Party Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2025-70841

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-70841

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-70841

EUVD