upendoventures / dnn.fipsaescryptoprovider Goto Github PK

Vulnerable Libraries - dotnetnuke.web.9.7.0.nupkg, dotnetnuke.web.9.2.1.533.nupkg, DotNetNuke.Web-9.8.0.0.dll, dotnetnuke.core.9.7.0.nupkg, dotnetnuke.core.9.2.1.533.nupkg

Found in base branch: development

Vulnerability Details

The AppCheck research team identified a Server-Side Request Forgery (SSRF) vulnerability within the DNN CMS platform, formerly known as DotNetNuke. SSRF vulnerabilities allow the attacker to exploit the target system to make network requests on their behalf, allowing a range of possible attacks. In the most common scenario, the attacker exploits SSRF vulnerabilities to attack systems behind the firewall and access sensitive information from Cloud Provider metadata services.

Publish Date: 2022-06-02

URL: CVE-2021-40186

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-40186

Release Date: 2022-06-02

Fix Resolution: DotNetNuke.Web - 9.11.0;DotNetNuke.Core - 9.11.0

Vulnerable Library - dotnetnuke.core.9.2.1.533.nupkg

DNN Platform is an open source web application framework. This package contains only the core ...

Library home page: https://api.nuget.org/packages/dotnetnuke.core.9.2.1.533.nupkg

Path to dependency file: /Libraries/UpendoProvidersFipsAesCryptoProvider/Upendo.Libraries.UpendoProvidersFipsAesCryptoProvider.csproj

Path to vulnerable library: /netnuke.core/9.2.1.533/dotnetnuke.core.9.2.1.533.nupkg

Dependency Hierarchy:

• ❌ dotnetnuke.core.9.2.1.533.nupkg (Vulnerable Library)

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.

Publish Date: 2019-07-03

URL: CVE-2018-18326

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.dnnsoftware.com/community/security/security-center

Release Date: 2019-07-03

Fix Resolution: 9.3.0

Vulnerable Library - dotnetnuke.core.9.2.1.533.nupkg

DNN Platform is an open source web application framework. This package contains only the core ...

Library home page: https://api.nuget.org/packages/dotnetnuke.core.9.2.1.533.nupkg

Path to dependency file: /Libraries/UpendoProvidersFipsAesCryptoProvider/Upendo.Libraries.UpendoProvidersFipsAesCryptoProvider.csproj

Path to vulnerable library: /netnuke.core/9.2.1.533/dotnetnuke.core.9.2.1.533.nupkg

Dependency Hierarchy:

• ❌ dotnetnuke.core.9.2.1.533.nupkg (Vulnerable Library)

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.

Publish Date: 2019-07-03

URL: CVE-2018-18325

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pentest-tools.com/blog/exploit-dotnetnuke-cookie-deserialization/

Release Date: 2019-07-03

Fix Resolution: 9.3.0

Vulnerable Libraries - dotnetnuke.core.9.7.0.nupkg, dotnetnuke.core.9.2.1.533.nupkg

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions.

Publish Date: 2020-02-24

URL: CVE-2020-5188

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Library - newtonsoft.json.10.0.1.nupkg

Json.NET is a popular high-performance JSON framework for .NET

Library home page: https://api.nuget.org/packages/newtonsoft.json.10.0.1.nupkg

Path to dependency file: /Libraries/UpendoProvidersFipsAesCryptoProvider/Upendo.Libraries.UpendoProvidersFipsAesCryptoProvider.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/newtonsoft.json/10.0.1/newtonsoft.json.10.0.1.nupkg,/tonsoft.json/10.0.1/newtonsoft.json.10.0.1.nupkg

Dependency Hierarchy:

• ❌ newtonsoft.json.10.0.1.nupkg (Vulnerable Library)

Found in base branch: development

Vulnerability Details

Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial Of Service (DoS). \n\nThe serialization and deserialization path have different properties regarding the issue.\n\nDeserializing methods (like JsonConvert.DeserializeObject) will process the input that results in burning the CPU, allocating memory, and consuming a thread of execution. Quite high nesting level (>10kk, or 9.5MB of {a:{a:{... input) is needed to achieve the latency over 10 seconds, depending on the hardware.\n\nSerializing methods (like JsonConvert.Serialize or JObject.ToString) will throw StackOverFlow exception with the nesting level of around 20k.\n\nTo mitigate the issue one either need to update Newtonsoft.Json to 13.0.1 or set MaxDepth parameter in the JsonSerializerSettings. This can be done globally with the following statement. After that the parsing of the nested input will fail fast with Newtonsoft.Json.JsonReaderException:\n\n \nJsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 };\n\n\nRepro code:\n\n//Create a string representation of an highly nested object (JSON serialized)\nint nRep = 25000;\nstring json = string.Concat(Enumerable.Repeat(\"{a:\", nRep)) + \"1\" +\n string.Concat(Enumerable.Repeat(\"}\", nRep));\n\n//Parse this object (leads to high CPU/RAM consumption)\nvar parsedJson = JsonConvert.DeserializeObject(json);\n\n// Methods below all throw stack overflow with nRep around 20k and higher\n// string a = parsedJson.ToString();\n// string b = JsonConvert.SerializeObject(parsedJson);\n\n\n### Additional affected product and version information\nThe original statement about the problem only affecting IIS applications is misleading. Any application is affected, however the IIS has a behavior that stops restarting the instance after some time resulting in a harder-to-fix DoS.**

Publish Date: 2022-06-22

URL: WS-2022-0161

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-06-22

Fix Resolution: Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0

Vulnerable Libraries - dotnetnuke.core.9.7.0.nupkg, dotnetnuke.core.9.2.1.533.nupkg

Found in base branch: development

Vulnerability Details

DotNetNuke (DNN) 9.9.1 CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user profile biography section which allows remote authenticated users to inject arbitrary code via a crafted payload.

Publish Date: 2022-07-20

URL: CVE-2021-31858

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-31858

Release Date: 2022-07-20

Fix Resolution: DotNetNuke.Core - 9.11.0

Vulnerable Library - System.Web.Mvc-5.1.20821.0.dll

System.Web.Mvc.dll

Library home page: https://api.nuget.org/packages/microsoft.aspnet.mvc.5.1.3.nupkg

Path to vulnerable library: /References/DNN/09.07.00/System.Web.Mvc.dll

Dependency Hierarchy:

• ❌ System.Web.Mvc-5.1.20821.0.dll (Vulnerable Library)

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

Cross-site scripting (XSS) vulnerability in System.Web.Mvc.dll in Microsoft ASP.NET Model View Controller (MVC) 2.0 through 5.1 allows remote attackers to inject arbitrary web script or HTML via a crafted web page, aka "MVC XSS Vulnerability."

Publish Date: 2014-10-15

URL: CVE-2014-4075

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-059#mvc-xss-vulnerability---cve-2014-4075

Release Date: 2014-10-15

Fix Resolution: Microsoft.AspNet.Mvc - 3.0.50813.1 ,4.0.40804.0 ,5.0.2, 5.1.3

Vulnerable Libraries - dotnetnuke.core.9.7.0.nupkg, dotnetnuke.core.9.2.1.533.nupkg

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2).

Publish Date: 2020-02-24

URL: CVE-2020-5186

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Vulnerable Library - DotNetNuke.Modules.DigitalAssets-9.8.0.0.dll

DotNetNuke.Modules.DigitalAssets

Library home page: https://api.nuget.org/packages/dotnetnuke.bundle.9.8.0.nupkg

Path to vulnerable library: /References/DNN/09.07.00/DotNetNuke.Modules.DigitalAssets.dll

Dependency Hierarchy:

• ❌ DotNetNuke.Modules.DigitalAssets-9.8.0.0.dll (Vulnerable Library)

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

An arbitrary file upload vulnerability in the Digital Assets Manager module of DNN Corp DotNetNuke v7.0.0 to v9.10.2 allows attackers to execute arbitrary code via a crafted SVG file.

Publish Date: 2023-04-12

URL: CVE-2022-47053

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.dnnsoftware.com/community/security/security-center#:~:text=XSS%20in%20Digital%20Asset%20Manager

Release Date: 2023-04-12

Fix Resolution: DotNetNuke.Bundle - 9.11.0

Vulnerable Library - LiteDB-3.1.0.0.dll

LiteDB

Library home page: https://api.nuget.org/packages/litedb.3.1.0.nupkg

Path to vulnerable library: /References/DNN/09.07.00/LiteDB.dll

Dependency Hierarchy:

• ❌ LiteDB-3.1.0.0.dll (Vulnerable Library)

Found in base branch: development

Vulnerability Details

LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from BsonDocument to POCO classes. When instances of an object are not the same of class, BsonMapper use a special field _type string info with full class name with assembly to be loaded and fit into your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit into your model. This issue is patched in version 5.0.13 with some basic fixes to avoid this, but is not 100% guaranteed when using Object type. The next major version will contain an allow-list to select what kind of Assembly can be loaded. Workarounds are detailed in the vendor advisory.

Publish Date: 2023-02-24

URL: CVE-2022-23535

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23535

Release Date: 2023-02-24

Fix Resolution: LiteDB - 5.0.13

Vulnerable Library - dotnetnuke.core.9.7.0.nupkg

Provides basic references to the DotNetNuke.dll to develop extensions for the DNN Platform. For MVC or WebAPI please see other packages available as well

Library home page: https://api.nuget.org/packages/dotnetnuke.core.9.7.0.nupkg

Path to dependency file: /Libraries/UpendoProvidersFipsAesCryptoProvider/Upendo.Libraries.UpendoProvidersFipsAesCryptoProvider.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/dotnetnuke.core/9.7.0/dotnetnuke.core.9.7.0.nupkg,/netnuke.core/9.7.0/dotnetnuke.core.9.7.0.nupkg

Dependency Hierarchy:

• ❌ dotnetnuke.core.9.7.0.nupkg (Vulnerable Library)

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."

Publish Date: 2017-07-20

URL: CVE-2017-9822

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-9822

Release Date: 2017-07-20

Fix Resolution: 9.1.1

Vulnerable Library - dotnetnuke.core.9.2.1.533.nupkg

DNN Platform is an open source web application framework. This package contains only the core ...

Library home page: https://api.nuget.org/packages/dotnetnuke.core.9.2.1.533.nupkg

Path to dependency file: /Libraries/UpendoProvidersFipsAesCryptoProvider/Upendo.Libraries.UpendoProvidersFipsAesCryptoProvider.csproj

Path to vulnerable library: /netnuke.core/9.2.1.533/dotnetnuke.core.9.2.1.533.nupkg

Dependency Hierarchy:

• ❌ dotnetnuke.core.9.2.1.533.nupkg (Vulnerable Library)

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to the server, etc. Successful exploitation occurs when an admin user visits a notification page with stored cross-site scripting.

Publish Date: 2019-09-26

URL: CVE-2019-12562

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12562

Release Date: 2019-10-01

Fix Resolution: 9.4.0

Vulnerable Library - dotnetnuke.core.9.2.1.533.nupkg

DNN Platform is an open source web application framework. This package contains only the core ...

Library home page: https://api.nuget.org/packages/dotnetnuke.core.9.2.1.533.nupkg

Path to dependency file: /Libraries/UpendoProvidersFipsAesCryptoProvider/Upendo.Libraries.UpendoProvidersFipsAesCryptoProvider.csproj

Path to vulnerable library: /netnuke.core/9.2.1.533/dotnetnuke.core.9.2.1.533.nupkg

Dependency Hierarchy:

• ❌ dotnetnuke.core.9.2.1.533.nupkg (Vulnerable Library)

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.

Publish Date: 2019-07-03

URL: CVE-2018-15812

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.dnnsoftware.com/community/security/security-center

Release Date: 2019-07-03

Fix Resolution: 9.2.2

Vulnerable Library - dotnetnuke.core.9.2.1.533.nupkg

DNN Platform is an open source web application framework. This package contains only the core ...

Library home page: https://api.nuget.org/packages/dotnetnuke.core.9.2.1.533.nupkg

Path to dependency file: /Libraries/UpendoProvidersFipsAesCryptoProvider/Upendo.Libraries.UpendoProvidersFipsAesCryptoProvider.csproj

Path to vulnerable library: /netnuke.core/9.2.1.533/dotnetnuke.core.9.2.1.533.nupkg

Dependency Hierarchy:

• ❌ dotnetnuke.core.9.2.1.533.nupkg (Vulnerable Library)

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.

Publish Date: 2019-07-03

URL: CVE-2018-15811

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: dnnsoftware/Dnn.Platform@bf3641f

Release Date: 2019-07-03

Fix Resolution: 9.3.0

Vulnerable Libraries - ICSharpCode.SharpZipLib-0.86.0.518.dll, ICSharpCode.SharpZipLib.dll

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Publish Date: 2018-07-25

URL: CVE-2018-1002208

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002208

Release Date: 2018-07-25

Fix Resolution: SharpZipLib - 1.0.0-rc1

Vulnerable Library - log4net-1.2.10.0.dll

log4net for .NET Framework 2.0

Library home page: https://api.nuget.org/packages/log4net.1.2.10.nupkg

Path to vulnerable library: /References/HotcakesCommerce/03.02.01/log4net.dll

Dependency Hierarchy:

• ❌ log4net-1.2.10.0.dll (Vulnerable Library)

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

Publish Date: 2020-05-11

URL: CVE-2018-1285

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/apache/logging-log4net/tree/rel/2.0.10

Release Date: 2020-05-11

Fix Resolution: log4net - 2.0.10

Vulnerable Libraries - DotNetNuke-9.8.0.0.dll, dotnetnuke.web.9.7.0.nupkg, dotnetnuke.web.9.2.1.533.nupkg, DotNetNuke.Web-9.8.0.0.dll, dotnetnuke.core.9.7.0.nupkg, dotnetnuke.core.9.2.1.533.nupkg

Found in HEAD commit: d6abd56cf0fd6b2d3d2037d2844bf7d7d130c52c

Found in base branch: development

Vulnerability Details

Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0.

Publish Date: 2022-09-30

URL: CVE-2022-2922

CVSS 3 Score Details (4.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w72-2f23-57gm

Release Date: 2022-09-30

Fix Resolution: DotNetNuke.Core - 9.11.0, DotNetNuke.Web - 9.11.0