Vulnerabilities > CVE-2017-0929 - Server-Side Request Forgery (SSRF) vulnerability in Dnnsoftware Dotnetnuke

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

dnnsoftware

CWE-918

NVD

Published: 2018-07-03

Updated: 2018-09-04

Summary

DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.

Vulnerable Configurations

Part	Description	Count
Application	Dnnsoftware Dnnsoftware Dotnetnuke 7.1.2.164 Dnnsoftware Dotnetnuke 7.1.2.165 Dnnsoftware Dotnetnuke 7.1.2.166 Dnnsoftware Dotnetnuke 7.1.2.167 Dnnsoftware Dotnetnuke 7.1.2.168 Dnnsoftware Dotnetnuke 7.1.2.169 Dnnsoftware Dotnetnuke 7.1.2.170 Dnnsoftware Dotnetnuke 7.1.2.171 Dnnsoftware Dotnetnuke 7.1.2.172 Dnnsoftware Dotnetnuke 7.1.2.173 Dnnsoftware Dotnetnuke 7.1.2.174 Dnnsoftware Dotnetnuke 7.1.2.175 Dnnsoftware Dotnetnuke 7.1.2.176 Dnnsoftware Dotnetnuke 7.1.2.177 Dnnsoftware Dotnetnuke 7.1.2.178 Dnnsoftware Dotnetnuke 7.1.2.179 Dnnsoftware Dotnetnuke 7.1.2.180 Dnnsoftware Dotnetnuke 7.1.2.181 Dnnsoftware Dotnetnuke 7.1.2.182 Dnnsoftware Dotnetnuke 7.1.2.183 Dnnsoftware Dotnetnuke 7.1.2.184 Dnnsoftware Dotnetnuke 7.1.2.185 Dnnsoftware Dotnetnuke 7.1.2.186 Dnnsoftware Dotnetnuke 7.1.2.187 Dnnsoftware Dotnetnuke 7.1.2.188 Dnnsoftware Dotnetnuke 7.1.2.189 Dnnsoftware Dotnetnuke 7.1.2.190 Dnnsoftware Dotnetnuke 7.1.2.191 Dnnsoftware Dotnetnuke 7.1.2.192 Dnnsoftware Dotnetnuke 7.1.2.193 Dnnsoftware Dotnetnuke 7.1.2.194 Dnnsoftware Dotnetnuke 7.1.2.195 Dnnsoftware Dotnetnuke 7.1.2.196 Dnnsoftware Dotnetnuke 7.1.2.197 Dnnsoftware Dotnetnuke 7.1.2.198 Dnnsoftware Dotnetnuke 7.1.2.199 Dnnsoftware Dotnetnuke 7.1.2.200 Dnnsoftware Dotnetnuke 7.1.2.201 Dnnsoftware Dotnetnuke 7.1.2.202 Dnnsoftware Dotnetnuke 7.1.2.203 Dnnsoftware Dotnetnuke 7.1.2.204 Dnnsoftware Dotnetnuke 7.1.2.205 Dnnsoftware Dotnetnuke 7.1.2.206 Dnnsoftware Dotnetnuke 7.1.2.207 Dnnsoftware Dotnetnuke 7.1.2.208 Dnnsoftware Dotnetnuke 7.1.2.209 Dnnsoftware Dotnetnuke 7.1.2.210 Dnnsoftware Dotnetnuke 7.1.2.211 Dnnsoftware Dotnetnuke 7.1.2.212 Dnnsoftware Dotnetnuke 7.1.2.213 Dnnsoftware Dotnetnuke 7.1.2.214 Dnnsoftware Dotnetnuke 7.1.2.215 Dnnsoftware Dotnetnuke 7.1.2.216 Dnnsoftware Dotnetnuke 7.1.2.217 Dnnsoftware Dotnetnuke 7.1.2.218 Dnnsoftware Dotnetnuke 7.1.2.219 Dnnsoftware Dotnetnuke 7.1.2.220 Dnnsoftware Dotnetnuke 7.1.2.221 Dnnsoftware Dotnetnuke 7.1.2.222 Dnnsoftware Dotnetnuke 7.1.2.223 Dnnsoftware Dotnetnuke 7.1.2.224 Dnnsoftware Dotnetnuke 7.1.2.225 Dnnsoftware Dotnetnuke 7.1.2.226 Dnnsoftware Dotnetnuke 7.1.2.227 Dnnsoftware Dotnetnuke 7.1.2.228 Dnnsoftware Dotnetnuke 7.2.0.607 Dnnsoftware Dotnetnuke 7.2.1.367 Dnnsoftware Dotnetnuke 7.3.0.499 Dnnsoftware Dotnetnuke 7.3.1.20 Dnnsoftware Dotnetnuke 7.3.2.109 Dnnsoftware Dotnetnuke 7.3.3.118 Dnnsoftware Dotnetnuke 7.3.4.45 Dnnsoftware Dotnetnuke 7.4.0.353 Dnnsoftware Dotnetnuke 7.5.0.875 Dnnsoftware Dotnetnuke 7.5.0.885 Dnnsoftware Dotnetnuke 8.0.0 Dnnsoftware Dotnetnuke 8.0.1 Dnnsoftware Dotnetnuke 8.0.2 Dnnsoftware Dotnetnuke 8.0.3 Dnnsoftware Dotnetnuke 8.0.4 Dnnsoftware Dotnetnuke 9.0.0 Dnnsoftware Dotnetnuke 9.0.1 Dnnsoftware Dotnetnuke 9.0.2 Dnnsoftware Dotnetnuke 9.1.0 Dnnsoftware Dotnetnuke 9.1.1 Dnnsoftware Dotnetnuke 9.2	86

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://github.com/dnnsoftware/Dnn.Platform/commit/d3953db85fee77bb5e6383747692c507ef8b94c3