CVE-2018-18326

HIGH

DNN 9.2-9.2.2 - Info Disclosure

Title source: llm

Description

DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/48336

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html

[Release Notes] https://github.com/dnnsoftware/Dnn.Platform/releases

[Vendor Advisory] https://www.dnnsoftware.com/community/security/security-center

Scores

CVSS v3 7.5

EPSS 0.7654

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-331

Status published

Affected Products (2)

dnnsoftware/dotnetnuke < 9.2.2

nuget/DotNetNuke.Core < 9.3.0NuGet

Timeline

Published Jul 03, 2019

Tracked Since Feb 18, 2026