NuGet package
dotnetnuke.core
pkg:nuget/dotnetnuke.core
Vulnerabilities (35)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-12562 | — | < 9.4.0 | 9.4.0 | Sep 26, 2019 | Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uplo | ||
| CVE-2018-18326 | — | < 9.3.0 | 9.3.0 | Jul 3, 2019 | DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812. | ||
| CVE-2018-18325 | — | KEV | < 9.3.0 | 9.3.0 | Jul 3, 2019 | DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811. | |
| CVE-2018-15812 | — | >= 9.2.0, < 9.2.2 | 9.2.2 | Jul 3, 2019 | DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy. | ||
| CVE-2018-15811 | — | KEV | >= 9.2.0, < 9.2.2 | 9.2.2 | Jul 3, 2019 | DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters. | |
| CVE-2018-14486 | — | <= 9.1.1 | — | Mar 17, 2019 | DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via XML. | ||
| CVE-2017-0929 | — | < 9.2.0 | 9.2.0 | Jul 3, 2018 | DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources. | ||
| CVE-2017-9822 | Hig | 8.8 | KEV | < 9.1.1 | 9.1.1 | Jul 20, 2017 | DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites." |
| CVE-2015-2794 | Cri | 9.8 | < 7.4.1 | 7.4.1 | Feb 6, 2017 | The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx. | |
| CVE-2016-7119 | Med | 5.4 | < 8.0.1 | 8.0.1 | Aug 31, 2016 | Cross-site scripting (XSS) vulnerability in the user-profile biography section in DotNetNuke (DNN) before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element. | |
| CVE-2015-1566 | — | < 7.4.0 | 7.4.0 | Feb 9, 2015 | Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 7.4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2013-7335 | — | < 6.2.9 | 6.2.9 | Mar 12, 2014 | Open redirect vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | ||
| CVE-2013-4649 | — | < 6.2.9 | 6.2.9 | Mar 12, 2014 | Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to inject arbitrary web script or HTML via the __dnnVariable parameter to the default URI. | ||
| CVE-2008-6540 | — | < 4.8.2 | 4.8.2 | Mar 30, 2009 | DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the de | ||
| CVE-2007-0660 | — | < 03.02.01 | 03.02.01 | Feb 1, 2007 | Cross-site scripting (XSS) vulnerability in the IFrame module before 03.02.01 for DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "Pass through values." |
- CVE-2019-12562Sep 26, 2019affected < 9.4.0fixed 9.4.0
Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uplo
- CVE-2018-18326Jul 3, 2019affected < 9.3.0fixed 9.3.0
DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.
- affected < 9.3.0fixed 9.3.0
DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.
- CVE-2018-15812Jul 3, 2019affected >= 9.2.0, < 9.2.2fixed 9.2.2
DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.
- affected >= 9.2.0, < 9.2.2fixed 9.2.2
DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.
- CVE-2018-14486Mar 17, 2019affected <= 9.1.1
DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via XML.
- CVE-2017-0929Jul 3, 2018affected < 9.2.0fixed 9.2.0
DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.
- affected < 9.1.1fixed 9.1.1
DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
- affected < 7.4.1fixed 7.4.1
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
- affected < 8.0.1fixed 8.0.1
Cross-site scripting (XSS) vulnerability in the user-profile biography section in DotNetNuke (DNN) before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element.
- CVE-2015-1566Feb 9, 2015affected < 7.4.0fixed 7.4.0
Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 7.4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2013-7335Mar 12, 2014affected < 6.2.9fixed 6.2.9
Open redirect vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
- CVE-2013-4649Mar 12, 2014affected < 6.2.9fixed 6.2.9
Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to inject arbitrary web script or HTML via the __dnnVariable parameter to the default URI.
- CVE-2008-6540Mar 30, 2009affected < 4.8.2fixed 4.8.2
DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the de
- CVE-2007-0660Feb 1, 2007affected < 03.02.01fixed 03.02.01
Cross-site scripting (XSS) vulnerability in the IFrame module before 03.02.01 for DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "Pass through values."
Page 2 of 2