VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Mar 30, 2009· Updated Apr 24, 2026

CVE-2008-6540

CVE-2008-6540

Description

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
DotNetNuke.CoreNuGet
< 4.8.24.8.2

Affected products

17
  • Dnnsoftware/Dotnetnuke17 versions
    cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*+ 16 more
    • cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*range: <=4.8.1
    • cpe:2.3:a:dnnsoftware:dotnetnuke:1.0.10d:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:1.0.10e:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:1.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:1.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:1.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:1.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:2.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:3.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:3.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:3.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:3.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:4.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:dnnsoftware:dotnetnuke:4.5.2:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.