A critical information disclosure vulnerability in Dokans eCommerce SaaS allows unauthenticated attackers to steal sensitive configuration files, resulting in full compromise of all tenant data.

The application permits unauthenticated remote attackers to access the /script/.env file directly. This file contains the Laravel APP_KEY, database credentials, and SMTP/SendGrid API keys.

The CVSS score of 10.0 reflects the absolute severity of this leak. Exposure of the APP_KEY allows for session token forgery and authentication bypass, while database credentials grant direct access to sensitive tenant information. Furthermore, the theft of API keys allows attackers to hijack email infrastructure, causing massive financial and reputational harm across the entire SaaS ecosystem.

Immediate Action: Update the platform to the latest version and immediately rotate all secrets, including the APP_KEY, database passwords, and API keys.

Proactive Monitoring: Inspect web server logs for any GET requests to the /script/.env path and monitor for unauthorized database logins.

Compensating Controls: Configure the web server (Nginx/Apache) to explicitly deny access to all hidden files and files starting with a dot (.) globally.

Public Exploit Available: false

This is a "scorched earth" scenario; simply patching is insufficient. Administrators must rotate every single credential found in the .env file immediately after updating the software to prevent attackers who may have already harvested the data from maintaining access.