Vulnerabilities > CVE-2020-11585 - Authorization Bypass Through User-Controlled Key vulnerability in Dnnsoftware Dotnetnuke 9.5.0

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

dnnsoftware

CWE-639

NVD

Published: 2020-04-06

Updated: 2021-07-21

Summary

There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter.

Vulnerable Configurations

Part	Description	Count
Application	Dnnsoftware Dnnsoftware Dotnetnuke 9.5.0	1

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://neff.blog/2020/04/04/dotnetnuke-9-5-file-path-information-disclosure/