Dnnsoftware: >> Dotnetnuke Security Vulnerabilities
Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to the server, etc. Successful exploitation occurs when an admin user visits a notification page with stored cross-site scripting.
CVSS Score
6.1
EPSS Score
0.387
Published
2019-09-26
CVE-2018-15811
DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.
Known exploited
CVSS Score
7.5
EPSS Score
0.93
Published
2019-07-03
DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.
CVSS Score
7.5
EPSS Score
0.78
Published
2019-07-03
CVE-2018-18325
DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.
Known exploited
CVSS Score
7.5
EPSS Score
0.93
Published
2019-07-03
DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.
CVSS Score
7.5
EPSS Score
0.763
Published
2019-07-03
DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via XML.
CVSS Score
6.1
EPSS Score
0.005
Published
2019-03-21
DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.
CVSS Score
7.5
EPSS Score
0.926
Published
2018-07-03
CVE-2017-9822
DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
Known exploited
CVSS Score
8.8
EPSS Score
0.943
Published
2017-07-20
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
CVSS Score
9.8
EPSS Score
0.923
Published
2017-02-06
Cross-site scripting (XSS) vulnerability in the user-profile biography section in DotNetNuke (DNN) before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element.
CVSS Score
5.4
EPSS Score
0.002
Published
2016-08-31