Advisories

Please read our Vulnerability Disclosure Policy.

Full Text | Titles Only

DotNetNuke Cross Site Request Forgery Vulnerability

Download

Jun 14, 2010

DotNetNuke is a Content Management System (CMS) for the .NET platform, which powers “over 500,000” websites. This vulnerability affects version 5.4.2 and earlier.

It was discovered that the application enabled some sensitive actions, such as changing a registered email address, to be performed with only the session identifier used as authentication. This could enable an attacker to alter a user's email address through a Cross Site Request Forgery (CSRF) attack. The forgotten password functionality could then be used to reset the password and consequently  compromise the account.

View All