CVE-2018-15811 : DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to prote

DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.

Published 2019-07-03 17:15:10

Updated 2025-03-07 14:24:42

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2018-15811

Dnnsoftware » Dotnetnuke
Versions from including (>=) 9.2 and up to, including, (<=) 9.2.1
cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*
Matching versions

CVE-2018-15811 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

DotNetNuke (DNN) contains an inadequate encryption strength vulnerability resulting from the use of a weak encryption algorithm to protect input parameters.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2018-15811

Added on 2021-11-03 Action due date 2022-05-03

Exploit prediction scoring system (EPSS) score for CVE-2018-15811

EPSS FAQ

76.12%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2018-15811

DotNetNuke Cookie Deserialization Remote Code Excecution

Disclosure Date: 2017-07-20

First seen: 2020-04-26

exploit/windows/http/dnn_cookie_deserialization_rce

This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the serv

More information

CVSS scores for CVE-2018-15811

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-04
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2018-15811

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2018-15811

http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html

DotNetNuke Cookie Deserialization Remote Code Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry

CVEs referencing this url
https://github.com/dnnsoftware/Dnn.Platform/releases

Releases · dnnsoftware/Dnn.Platform · GitHub
Release Notes

CVEs referencing this url
https://www.dnnsoftware.com/community/security/security-center

DNN Security Updates | DNN (DotNetNuke)
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2018-15811