Vulnerability Details CVE-2020-11585
There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 47.0%
CVSS Severity
CVSS v3 Score 4.3
CVSS v2 Score 4.0
References
Products affected by CVE-2020-11585
-
cpe:2.3:a:dnnsoftware:dotnetnuke:9.5.0