Lucene search

GitHub Advisory DatabaseGHSA-GRW3-HJJM-5CJM

HistoryMay 14, 2022 - 2:38 a.m.

DotNetNuke Default Machine Key Exposure

2022-05-1402:38:47

CWE-453

GitHub Advisory Database

github.com

5.1 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.064 Low

EPSS

Percentile

93.7%

JSON

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

Affected configurations

Vulners

Node

dotnetnuke.coreRange<4.8.2

CPENameOperatorVersion
dotnetnuke.corelt4.8.2

CPE	Name	Operator	Version
	dotnetnuke.core	lt	4.8.2

References

osvdb.org/43720

secunia.com/advisories/29488

www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx

www.securityfocus.com/archive/1/489957/100/0/threaded

www.securityfocus.com/bid/28391

exchange.xforce.ibmcloud.com/vulnerabilities/41399

github.com/advisories/GHSA-grw3-hjjm-5cjm

nvd.nist.gov/vuln/detail/CVE-2008-6540

5.1 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.064 Low

EPSS

Percentile

93.7%

JSON

Related for GHSA-GRW3-HJJM-5CJM