Inadequate Encryption Strength in DotNetNuke

2019-07-0521:08:16

Google

osv.dev

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.043 Low

EPSS

Percentile

92.1%

JSON

DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.

CPENameOperatorVersion
dotnetnuke.coreeq7.0.6.121
dotnetnuke.coreeq7.2.0.613
dotnetnuke.coreeq9.2.1.533
dotnetnuke.coreeq7.3.0.499
dotnetnuke.coreeq8.0.0.809
dotnetnuke.coreeq9.0.1.142
dotnetnuke.coreeq9.1.1.129
dotnetnuke.coreeq8.0.3.5
dotnetnuke.coreeq7.4.0.353
dotnetnuke.coreeq8.0.1.239

Name	Operator	Version
dotnetnuke.core	eq	7.0.6.121
dotnetnuke.core	eq	7.2.0.613
dotnetnuke.core	eq	9.2.1.533
dotnetnuke.core	eq	7.3.0.499
dotnetnuke.core	eq	8.0.0.809
dotnetnuke.core	eq	9.0.1.142
dotnetnuke.core	eq	9.1.1.129
dotnetnuke.core	eq	8.0.3.5
dotnetnuke.core	eq	7.4.0.353
dotnetnuke.core	eq	8.0.1.239