DotNetNuke Default Machine Key Exposure

GHSA-grw3-hjjm-5cjm · CVE-2008-6540

Published May 14, 2022 · Modified Nov 8, 2023

Description

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2008-6540
WEB https://exchange.xforce.ibmcloud.com/vulnerabilities/41399
PACKAGE https://github.com/dnnsoftware/Dnn.Platform
WEB http://osvdb.org/43720
WEB http://secunia.com/advisories/29488
WEB http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx
WEB http://www.securityfocus.com/archive/1/489957/100/0/threaded
WEB http://www.securityfocus.com/bid/28391

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes