Information Disclosure in DNN 9.5 Affecting File Management
CVE-2020-11585

4.3MEDIUM

Key Information:

Vendor: Dnnsoftware
Status: Dotnetnuke
Vendor: CVE Published:; 6 April 2020

🔔 Create Dnnsoftware Vulnerability Alert

What is CVE-2020-11585?

An information disclosure issue exists in DNN (formerly DotNetNuke) version 9.5, impacting the Activity-Feed/Messaging/Userid/Message Center module. This flaw allows a registered user to exploit the system by enumerating files within the Admin File Manager, specifically those not housed in a secure folder. By sending themselves a message with a file attached, the user can leverage an arbitrary integer value in the fileIds parameter to access sensitive file paths.

References

https://neff.blog/2020/04/04/dotnetnuke-9-5-file-path-inf...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2020
Vulnerability Reserved
Apr 6, 2020