Main Vulnerability Database Vulnerabilities #VU336

#VU336 Improper access control in DotNetNuke - CVE-2015-2794

Published: August 20, 2016

Vulnerability identifier: #VU336

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2015-2794

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
DotNetNuke

Software vendor:
DNN

Description

The vulnerability allows a remote attacker to gain complete control over vulnerable web application.

The vulnerability exists due to improper access control to DotnetNuke installation script /Install/InstallWizard.aspx. A remote unauthenticated attacker can guess SQL Server instance name and reinstall DotnetNuke application.

Successful exploitation of the vulnerability will allow an attacker to gain complete access to the web application.

Remediation

Update to version 07.04.01.

External links

https://dotnetnuke.codeplex.com/releases/view/615317
https://www.exploit-db.com/exploits/39777/

#VU336 Improper access control in DotNetNuke - CVE-2015-2794

Description

Remediation

External links

Please verify you're human