Vulnerability CVE-2008-6540


Published: 2009-03-29   Modified: 2012-02-12

Description:
DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
DotNetNuke Default Machine Key Exposure
gdssecurity
01.04.2009

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

CVSS2 => (AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.1/10
6.4/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Dotnetnuke -> Dotnetnuke 

 References:
http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx
http://www.securityfocus.com/archive/1/489957/100/0/threaded
http://www.securityfocus.com/bid/28391
https://exchange.xforce.ibmcloud.com/vulnerabilities/41399

Copyright 2024, cxsecurity.com

 

Back to Top