Main Vulnerability Database Vulnerabilities #VU336

Improper access control in DotNetNuke - CVE-2015-2794

Published: August 20, 2016

Vulnerability identifier: #VU336

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2015-2794

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: DNN

Affected software:
DotNetNuke

Detailed vulnerability description

The vulnerability allows a remote attacker to gain complete control over vulnerable web application.

The vulnerability exists due to improper access control to DotnetNuke installation script /Install/InstallWizard.aspx. A remote unauthenticated attacker can guess SQL Server instance name and reinstall DotnetNuke application.

Successful exploitation of the vulnerability will allow an attacker to gain complete access to the web application.

How to mitigate CVE-2015-2794

Update to version 07.04.01.

Sources

https://dotnetnuke.codeplex.com/releases/view/615317
https://www.exploit-db.com/exploits/39777/

Improper access control in DotNetNuke - CVE-2015-2794

Detailed vulnerability description

How to mitigate CVE-2015-2794

Sources

Please verify you're human