CVE-2008-6540

Dotnetnuke < 4.8.1 - Access Control

Title source: rule

Description

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Brian Holyfield · remotewindows

https://www.exploit-db.com/exploits/31465

View Code ZIP pw:eip

References (6)

[Vendor Advisory] http://secunia.com/advisories/29488

[Vendor Advisory] http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx

[Exploit] http://www.securityfocus.com/bid/28391

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/41399

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/489957/100/0/threaded

[Third Party Advisory, VDB Entry] http://osvdb.org/43720

Scores

EPSS 0.0520

EPSS Percentile 89.7%

Classification

CWE

CWE-264

Status draft

Affected Products (18)

dotnetnuke/dotnetnuke < 4.8.1

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

dotnetnuke/dotnetnuke

... and 3 more

Timeline

Published Mar 30, 2009

Tracked Since Feb 18, 2026