Main Vulnerability Database Vulnerabilities #VU34597

Information disclosure in DotNetNuke - CVE-2020-11585

Published: April 6, 2020 / Updated: August 8, 2020

Vulnerability identifier: #VU34597

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-11585

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: DNN

Affected software:
DotNetNuke

Detailed vulnerability description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter.

How to mitigate CVE-2020-11585

Install update from vendor's website.

Sources

https://neff.blog/2020/04/04/dotnetnuke-9-5-file-path-information-disclosure/

Information disclosure in DotNetNuke - CVE-2020-11585

Detailed vulnerability description

How to mitigate CVE-2020-11585

Sources

Please verify you're human