CVE-2008-6540 : DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) Validation

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

Published 2009-03-30 01:30:00

Updated 2018-10-11 20:57:24

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2008-6540

Probability of exploitation activity in the next 30 days: 6.38%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2008-6540

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.1	MEDIUM	AV:N/AC:H/Au:N/C:P/I:P/A:P	4.9	6.4	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2008-6540

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2008-6540

http://www.securityfocus.com/archive/1/489957/100/0/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/41399

DotNetNuke web.config file weak security CVE-2008-6540 Vulnerability Report
http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx

404 Error - Page Not Found | DNN CMS & Online Community Software
Vendor Advisory
http://www.securityfocus.com/bid/28391

Exploit

Products affected by CVE-2008-6540

Dotnetnuke » Dotnetnuke
Versions up to, including, (<=) 4.8.1
cpe:2.3:a:dotnetnuke:dotnetnuke:*:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 1.0.10d
cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.10d:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 1.0.8
cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.8:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 1.0.9
cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.9:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 1.0.6
cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.6:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 1.0.7
cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.7:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 2.1.1
cpe:2.3:a:dotnetnuke:dotnetnuke:2.1.1:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 2.1.2
cpe:2.3:a:dotnetnuke:dotnetnuke:2.1.2:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 3.0.7
cpe:2.3:a:dotnetnuke:dotnetnuke:3.0.7:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 1.0.10e
cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.10e:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 3.0.8
cpe:2.3:a:dotnetnuke:dotnetnuke:3.0.8:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 3.1.0
cpe:2.3:a:dotnetnuke:dotnetnuke:3.1.0:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 4.0
cpe:2.3:a:dotnetnuke:dotnetnuke:4.0:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 4.5.2
cpe:2.3:a:dotnetnuke:dotnetnuke:4.5.2:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 3.0.11
cpe:2.3:a:dotnetnuke:dotnetnuke:3.0.11:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 4.3.5
cpe:2.3:a:dotnetnuke:dotnetnuke:4.3.5:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 3.3.5
cpe:2.3:a:dotnetnuke:dotnetnuke:3.3.5:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2008-6540

Exploit prediction scoring system (EPSS) score for CVE-2008-6540

CVSS scores for CVE-2008-6540

CWE ids for CVE-2008-6540

References for CVE-2008-6540

Products affected by CVE-2008-6540