CVE-2020-11585

MEDIUM

Dnnsoftware Dotnetnuke - Information Disclosure

Title source: rule

Description

There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter.

References (1)

[Exploit, Third Party Advisory] https://neff.blog/2020/04/04/dotnetnuke-9-5-file-path-information-disclosure/

Scores

CVSS v3 4.3

EPSS 0.0024

EPSS Percentile 47.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-639 CWE-330

Status published

Products (1)

dnnsoftware/dotnetnuke 9.5.0

Published Apr 06, 2020

Tracked Since Feb 18, 2026