CVE-2008-6540

Dotnetnuke < 4.8.1 - Access Control

Title source: rule

Description

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Brian Holyfield · remotewindows

https://www.exploit-db.com/exploits/31465

View Code ZIP pw:eip

References (6)

[Vendor Advisory] http://secunia.com/advisories/29488

[Vendor Advisory] http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx

[Exploit] http://www.securityfocus.com/bid/28391

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/41399

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/489957/100/0/threaded

[Third Party Advisory, VDB Entry] http://osvdb.org/43720

Scores

EPSS 0.0533

EPSS Percentile 90.1%

Details

CWE

CWE-264

Status published

Products (18)

dotnetnuke/dotnetnuke 1.0.6

dotnetnuke/dotnetnuke 1.0.7

dotnetnuke/dotnetnuke 1.0.8

dotnetnuke/dotnetnuke 1.0.9

dotnetnuke/dotnetnuke 1.0.10d

dotnetnuke/dotnetnuke 1.0.10e

dotnetnuke/dotnetnuke 2.1.1

dotnetnuke/dotnetnuke 2.1.2

dotnetnuke/dotnetnuke 3.0.7

dotnetnuke/dotnetnuke 3.0.8

... and 8 more

Published Mar 30, 2009

Tracked Since Feb 18, 2026