← back
CVE-2018-15811

CVE-2018-15811

CVSS 7.5 HIGHEPSS 74.0%● KEVCWE-326
In short

DNN (DotNetNuke) versions 9.2 to 9.2.1 use weak encryption to protect user input parameters, making it possible for attackers to decrypt and tamper with sensitive data in transit.

Technical detail

CWE-326: DNN 9.2-9.2.1 implements insufficient cryptographic strength for parameter encryption, allowing an attacker with network access to potentially recover plaintext from encrypted parameters. The weak algorithm reduces the effective security strength of the encryption mechanism, enabling feasible cryptanalysis attacks.

Summary generated and translated by AI from the official description.
DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
n/a · n/a
public PoCs found2
cve_referencepacketstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/48336unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.htmlhttps://github.com/dnnsoftware/Dnn.Platform/releaseshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-15811https://www.dnnsoftware.com/community/security/security-center