Headline
CVE-2023-49443: GitHub - woshinibaba222/DoraCMS-Verification-Code-Reuse
DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack.
DoraCMS Verification Code Reuse****Vulnerability Description
In the DoraCMS backend, when logging in by entering the account and password, the verification code can be reused. This allows for a weak password brute-force attack using the same verification code multiple times.
Affected Versions
DoraCMS version 2.1.8
Source Code Download Link
https://github.com/doramart/DoraCMS
Environment Deployment Tool
VSCode MongoDB
Reproduction Steps:
Access the backend address: http://192.168.184.142:8080/dr-admin Enter the account 'doracms’, followed by the password and verification code. Click on the login button. To capture the request using Burp Suite: To use Burp Suite Intruder for password brute-forcing: When incorrect passwords can still be used for brute-force attacks, it indicates that the verification code can be reused. At the 50th attempt, the login was successful. The entered password is 123456 Login successful