CVE-2008-6540

critical

Description

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/41399

http://www.securityfocus.com/archive/1/489957/100/0/threaded

http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx

http://secunia.com/advisories/29488

http://osvdb.org/43720

Details

Source: Mitre, NVD

Published: 2009-03-30

Updated: 2018-10-11

Risk Information

CVSS v2

Base Score: 5.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Critical