CVE-2008-6540 : DotNetNuke before 4.8.2, during installation or upgrade, does not warn the admin

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

Published 2009-03-30 01:30:00

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2008-6540

Dotnetnuke » Dotnetnuke
Versions up to, including, (<=) 4.8.1
cpe:2.3:a:dotnetnuke:dotnetnuke:*:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 1.0.10d
cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.10d:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 1.0.8
cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.8:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 1.0.9
cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.9:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 1.0.6
cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.6:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 1.0.7
cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.7:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 2.1.1
cpe:2.3:a:dotnetnuke:dotnetnuke:2.1.1:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 2.1.2
cpe:2.3:a:dotnetnuke:dotnetnuke:2.1.2:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 3.0.7
cpe:2.3:a:dotnetnuke:dotnetnuke:3.0.7:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 1.0.10e
cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.10e:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 3.0.8
cpe:2.3:a:dotnetnuke:dotnetnuke:3.0.8:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 3.1.0
cpe:2.3:a:dotnetnuke:dotnetnuke:3.1.0:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 4.0
cpe:2.3:a:dotnetnuke:dotnetnuke:4.0:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 4.5.2
cpe:2.3:a:dotnetnuke:dotnetnuke:4.5.2:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 3.0.11
cpe:2.3:a:dotnetnuke:dotnetnuke:3.0.11:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 4.3.5
cpe:2.3:a:dotnetnuke:dotnetnuke:4.3.5:*:*:*:*:*:*:*
Matching versions
Dotnetnuke » Dotnetnuke » Version: 3.3.5
cpe:2.3:a:dotnetnuke:dotnetnuke:3.3.5:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2008-6540

EPSS FAQ

5.20%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 89 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2008-6540

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.1	MEDIUM	AV:N/AC:H/Au:N/C:P/I:P/A:P	4.9	6.4	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2008-6540

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2008-6540

http://osvdb.org/43720
http://www.securityfocus.com/archive/1/489957/100/0/threaded
http://secunia.com/advisories/29488

About Secunia Research | Flexera
Vendor Advisory

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/41399

DotNetNuke web.config file weak security CVE-2008-6540 Vulnerability Report
http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx

404 Error - Page Not Found | DNN CMS & Online Community Software
Vendor Advisory
http://www.securityfocus.com/bid/28391

Exploit

Jump to

Vulnerability Details : CVE-2008-6540

Products affected by CVE-2008-6540

Exploit prediction scoring system (EPSS) score for CVE-2008-6540

CVSS scores for CVE-2008-6540

CWE ids for CVE-2008-6540

References for CVE-2008-6540